Vendor Agreement Checklist: Everything to Review Before You Sign

A vendor agreement is a contract that governs the commercial relationship between a business and an outside supplier of goods, software, services, or infrastructure. It is one of the most consequential documents a business signs — yet it is frequently treated as boilerplate and skimmed rather than reviewed.

Vendor agreements come in many forms. A software vendor may call it a Master Services Agreement (MSA), an Enterprise License Agreement (ELA), or a SaaS Subscription Agreement. A goods supplier may call it a Supply Agreement or Purchase Agreement. A services firm may call it a Professional Services Agreement (PSA). Despite different names, these documents share a common structure: they define what the vendor will deliver, at what price, under what service standards, with what liability exposure, and under what exit conditions.

The clause above establishes that this agreement supersedes all prior agreements and purchase orders. This is standard integration language — and it means that any favorable commitments a salesperson made verbally or in a proposal deck are gone unless they appear in writing in this document or an attached exhibit. Before signing, every promise the vendor made during the sales process should be verified against the contract text.

Why do vendor agreements demand careful review?

First, the financial stakes are high. Multi-year vendor commitments commonly total hundreds of thousands or millions of dollars. Even modest annual software subscriptions compound significantly over a contract term. A single unfavorable clause — an uncapped price escalation, a liability limitation that prevents full recovery for vendor failures, or an auto-renewal with a missed cancellation window — can cost a business far more than the time invested in reviewing the contract.

Second, operational risk is embedded in these documents. A vendor SLA that sounds impressive ("99.9% uptime") may be measured in a way that excludes planned maintenance windows, emergency patches, and degraded-performance incidents — effectively covering only a fraction of actual downtime. Understanding how commitments are actually measured matters as much as the headline numbers.

Third, exit costs are often hidden. Vendors design contracts to maximize retention — not always through excellent service, but through contractual friction. Data portability restrictions, long notice periods, auto-renewal traps, and transition assistance provisions that are vague or absent can make leaving a vendor extraordinarily expensive even when their service is poor.

This guide walks through every material clause category in a typical vendor agreement, explains what favorable and unfavorable versions look like, and provides negotiation priorities for each.

The pricing section of a vendor agreement controls one of your most immediate financial exposures: how much you pay today and how much you could be forced to pay in the future. The clause above is among the most common and most dangerous provisions a buyer will encounter in a vendor contract.

The mechanism is simple: the vendor gives you 30 days of notice and can raise prices by any amount they choose. Your only alternative is to stop using the service — which, for a deeply integrated software vendor or critical supplier, may be operationally impossible on a 30-day timeline. In practice, this clause gives vendors unilateral pricing power over the life of the contract.

**What to look for in the pricing section:**

*Current pricing and rate schedule.* Verify that the contract reflects the pricing you negotiated. In complex deals, the commercial terms are often in a separate Order Form or Statement of Work that may not align with the MSA. Both documents must be reviewed together.

*Price escalation caps.* Any right to increase prices should be capped. Acceptable caps include: a fixed percentage (e.g., "no more than 3% per year"), an index-based cap (e.g., "no more than CPI for the prior year"), or a lock-in period before any increases are permitted (e.g., "pricing is fixed for the initial 24-month term").

*Most-favored-customer (MFC) clauses.* If you are a significant buyer, request an MFC clause: the vendor must offer you pricing at least as favorable as that offered to similarly situated customers. This is a meaningful protection against being charged more than comparable buyers.

*Volume commitments.* Be cautious of minimum purchase commitments or annual recurring revenue (ARR) commitments that lock you into specific spending levels regardless of actual usage. If your usage declines, you may owe the full committed amount.

*True-up provisions.* SaaS agreements frequently include annual or quarterly true-ups that charge you for usage that exceeded your contracted tier. Understand the pricing for overage consumption before signing — it is typically much higher per unit than your contracted rate.

Payment terms govern the financial mechanics of the relationship: when invoices are due, what happens if payment is late, and critically, what rights you retain to dispute incorrect invoices. The clause above contains several provisions worth careful attention.

**The 15-day invoice dispute window** is the most significant risk. The clause states that if you do not dispute an invoice within 15 days of receipt, you waive your right to dispute it. In large organizations, 15 days may not be enough time for the invoice to reach the right person, be reviewed against contract terms, and be escalated if a discrepancy is found. This is a trap: you could be bound to pay an erroneous invoice simply because internal processing took longer than 15 days.

**Interest on late payments** at 1.5% per month (18% annualized) is aggressive. For context, the federal funds rate fluctuates, and 18% APR is well above typical short-term borrowing costs. While the clause caps the rate at the legal maximum, the practical rate is high.

**Payment timing** affects your cash flow planning. Net-30 is standard; some vendors push for Net-15 or even payment in advance, while buyers often prefer Net-45 or Net-60 to align with their own billing cycles.

Suspension rights. Many vendor agreements give the vendor the right to suspend service if any invoice is overdue — even a disputed invoice. This can create leverage abuse: a vendor with a disputed invoice can hold your operational service hostage. The dispute and suspension provisions should be read together to understand the full risk.

Service level agreements (SLAs) are among the most important and most commonly misunderstood provisions in vendor contracts. A headline "99.9% uptime" guarantee sounds strong — until you understand what is excluded from the measurement.

The math of 99.9% uptime. Monthly measurement of 99.9% allows approximately 43 minutes of downtime per month, or about 8.7 hours per year. That may sound acceptable. But consider what is excluded from measurement in the clause above:

*Scheduled maintenance* — The vendor can schedule maintenance windows and exclude that downtime from SLA calculations entirely. A vendor who schedules a 4-hour maintenance window every Sunday night has effectively granted themselves up to 208 hours of planned downtime per year, none of which counts against the SLA.

*Emergency maintenance* — Similarly undefined and excluded. What constitutes an "emergency" is typically at the vendor's discretion.

*Events beyond reasonable control* — This is force majeure language embedded in the SLA, which compounds with any separate force majeure clause.

*Degraded performance* — This is the most significant exclusion. If the service is slow, intermittent, or partially functional, it may not qualify as "unavailable" and therefore does not count against the SLA. A service that takes 45 seconds to respond instead of 2 seconds may be technically "available" by this definition even though it is operationally unusable.

SLA remedies. The right to a service credit means little if the credit amount is modest (e.g., "10% of the monthly fee") and the credit is the sole remedy for SLA failures. For mission-critical services, SLA failures should create a right to terminate for cause without penalty — not merely a right to a small credit.

SLA measurement and reporting. Who measures uptime? Typically the vendor, using their own monitoring systems. Request third-party measurement or the right to use your own monitoring data in disputes.

Warranty disclaimers are standard in commercial vendor agreements, but their scope varies significantly — and the express warranties that survive the disclaimer are what actually protect you.

The clause above is a comprehensive warranty disclaimer that eliminates all implied warranties under the Uniform Commercial Code (UCC) and common law. Without express warranty commitments in the agreement, you are purchasing on an as-is basis.

Implied warranties under the UCC. For agreements involving the sale of goods, the UCC provides two default warranties that must be explicitly disclaimed: (1) the implied warranty of merchantability — that the goods are fit for the ordinary purposes for which such goods are used; and (2) the implied warranty of fitness for a particular purpose — that the goods are suitable for the buyer's specifically communicated purpose. The clause above disclaims both.

Express warranties to negotiate. Because implied warranties are disclaimed, your protection depends entirely on the express warranties you negotiate. These should include:

*Conformance warranty* — The service will materially conform to the specifications and documentation. This gives you a basis to demand remediation if the service fails to perform as documented.

*Non-infringement warranty* — The service does not infringe the intellectual property rights of third parties. Without this warranty, you could be named in an infringement suit without any contractual right to indemnification from the vendor.

*Security warranty* — The vendor employs commercially reasonable security practices commensurate with industry standards. This is increasingly important given the frequency of vendor data breaches.

*No harmful code* — The software does not contain viruses, malware, backdoors, or other harmful code. Some vendors use the disclaimer above to eliminate this protection entirely.

*Professional services standard of care* — For professional services engagements, the vendor will perform in a professional and workmanlike manner consistent with industry standards.

Indemnification clauses determine who pays for third-party lawsuits and claims arising from the vendor relationship. The clause above is highly unfavorable to the customer and illustrates how standard vendor paper can shift nearly all risk to the buyer.

The vendor's indemnification scope. The vendor only indemnifies the customer for claims arising from the vendor's *gross negligence or willful misconduct.* This is a high bar. Ordinary negligence — which covers most vendor errors, service failures, and data breaches — is excluded. A vendor whose security vulnerabilities cause a customer data breach is typically merely negligent, not grossly negligent. Under this clause, the customer would bear the cost of the resulting third-party claims.

The customer's indemnification scope. The customer indemnifies the vendor for claims arising from "Customer's use of the Services" — an open-ended, broadly worded obligation. This could be interpreted to require the customer to indemnify the vendor for claims that arise from the vendor's own service design if those claims are framed as arising from the customer's use.

**IP indemnification** is frequently the most important indemnification negotiation. If the vendor's software infringes a third-party patent or copyright, the customer may be named in an infringement suit. The vendor should indemnify the customer for IP infringement claims and have the obligation to: (1) obtain a license that allows continued use, (2) modify the service to be non-infringing, or (3) if neither is feasible, refund prepaid fees and allow termination.

Defense obligations. Note that "indemnify, defend, and hold harmless" includes the obligation to provide a legal defense, not just to pay any eventual judgment. Ensure the clause specifies that the indemnifying party will pay defense costs as they are incurred (not just at final judgment) and that the indemnified party has approval rights over any settlement that creates obligations on the indemnified party.

Limitation of liability clauses cap the damages a vendor will pay if something goes seriously wrong. These clauses are standard — virtually every vendor contract includes them — but their specific terms vary enormously and can mean the difference between meaningful recovery and a token payment.

The consequential damages waiver. The first sentence of the clause above eliminates consequential damages. In almost every scenario where a vendor failure matters financially, the damages you actually suffer are consequential: lost business, business interruption costs, regulatory penalties from a data breach, the cost of switching to a replacement vendor, reputational harm. Eliminating consequential damages often eliminates the entire meaningful recovery.

The aggregate liability cap. The second sentence caps the vendor's total liability at three months of fees. If you pay $10,000 per month, the vendor's maximum liability for any claim — including a data breach, extended service outage, or fraudulent billing — is $30,000. A data breach affecting customer personal data can cost a business millions in remediation, notification, regulatory fines, and litigation. A three-month fee cap does not remotely correspond to that exposure.

What should be carved out of the cap. Standard carve-outs from the limitation of liability in a well-negotiated agreement include: - Indemnification obligations (particularly IP indemnification and data breach indemnification) - Gross negligence and willful misconduct - Death and personal injury (though less relevant in commercial vendor agreements) - Confidentiality breaches - Fraud and misrepresentation

The cap amount. A more reasonable cap for significant vendor relationships is 12 months of fees (or more), not 3 months. For vendors handling sensitive data or providing mission-critical infrastructure, the cap should reflect the potential exposure — which may require a higher aggregate cap with specific sub-limits for different liability categories (e.g., a higher cap for data breach claims).

Data handling provisions determine what the vendor can do with your data and your customers' data. The clause above — granting a license to use customer data for "improving the Services," developing new products, and internal analytics — is among the most commonly overlooked and most consequential provisions in modern software agreements.

The scope of the data license. "Improving the Services" and "internal analytics" are expansive categories. Under this provision, a vendor could use your customer data to train machine learning models, develop competitive features, and generate aggregate insights that the vendor then monetizes as data products. The customer whose data is being used typically has no visibility into this process and receives no compensation.

Data processing agreements (DPAs) and GDPR. If you handle personal data of individuals in the European Union, UK, or California (under CCPA), data processing is subject to specific legal requirements. EU GDPR requires a data processing agreement (DPA) between the data controller (typically the customer) and the data processor (typically the vendor). The DPA must specify the categories of data processed, the purpose and legal basis for processing, data subject rights, subprocessor obligations, data retention and deletion, and cross-border transfer mechanisms. Processing personal data without a compliant DPA exposes you to regulatory enforcement.

Data residency and cross-border transfers. Where does the vendor store your data? Some regulations require data to remain within specific geographic boundaries. Financial data, healthcare data, and government data are subject to specific sovereignty requirements in many jurisdictions. GDPR restricts transfers of EU personal data to countries outside the EU/EEA without specific safeguards.

Data security. Vendors who hold your data should maintain security standards appropriate to the data's sensitivity. SOC 2 Type II certification, ISO 27001, or HIPAA compliance (for healthcare data) are standard benchmarks. Verify that the agreement requires these standards and grants you audit rights or access to security assessment reports.

Data deletion and return. When the vendor relationship ends, what happens to your data? Many vendor agreements give the vendor the right to retain data for extended periods after termination and provide only vague commitments about eventual deletion. You need the right to export your data in a machine-readable format and a contractual commitment to delete your data within a defined period after termination.

Intellectual property ownership provisions determine who owns the deliverables, customizations, and integrations created during the vendor relationship. The clause above — assigning all custom work to the vendor — is standard vendor paper but represents a significant risk for buyers who invest in vendor-specific development.

Custom development. If you pay a vendor to build custom features, integrations, or configurations, the question of who owns that work is not academic. Under the clause above, the vendor owns everything they build for you. If you leave the vendor, you lose access to those customizations — and the vendor can potentially sell or license the same custom work to your competitors.

Work-for-hire doctrine. Under U.S. copyright law, a "work made for hire" belongs to the party that commissioned it if it falls within specific statutory categories and there is a written agreement designating it as such. Many vendors deliberately avoid work-for-hire language to preserve ownership of custom developments. Custom software developed by a vendor at customer expense does not automatically belong to the customer without an explicit written assignment.

Background IP vs. foreground IP. A reasonable middle ground acknowledges: (1) the vendor's background IP — pre-existing technology, frameworks, and tools — remains the vendor's property; (2) foreground IP — new work created specifically for the customer — belongs to the customer, with the vendor retaining a license to underlying tools and methods. This distinction is the basis of most negotiated IP ownership regimes.

Derivatives and enhancements. Even when custom deliverables are assigned to the customer, vendors sometimes retain rights to "derivatives and enhancements" of their background IP — a category broad enough to recapture significant portions of the custom work. The definitions in the IP assignment clause require careful attention.

Open-source components. If the vendor uses open-source components with copyleft licenses (e.g., GPL) in their product, those licenses may impose obligations on you — including requirements to release your own code under the same license. Request a software bill of materials (SBOM) for any software solution and legal review of open-source license obligations.

Exclusivity provisions in vendor agreements can dramatically restrict your operational flexibility. Unlike exclusivity in employment contexts (where it governs the employee), vendor-side exclusivity governs the buyer — it prevents you from using competing products or suppliers, sometimes for significant periods.

Requirements contracts. The clause above is a form of "requirements contract" — you agree to purchase all of your requirements for a product category from the vendor. Requirements contracts are enforceable under the UCC but must involve a good-faith obligation to make purchases (you cannot use a requirements contract to commit to buying nothing). The key risk: if your requirements grow substantially, you are locked into a single supplier who knows you have no leverage to renegotiate.

Non-compete obligations on buyers. Some vendor agreements — particularly in enterprise software — include language preventing the customer from purchasing, licensing, or evaluating competitive products during the term. In regulated industries, such provisions may be subject to antitrust scrutiny if the vendor has significant market power. For ordinary commercial contracts, they are typically enforceable as written.

Exclusivity duration. Post-termination exclusivity — the 12-month tail period in the clause above — is particularly problematic. If you terminate the vendor relationship because of poor service, you may still be contractually prohibited from switching to a competitor for a year. This creates a damaging asymmetry: the vendor can fail to perform, you can terminate, but you cannot fully replace them immediately.

Minimum purchase commitments. Even without formal exclusivity language, minimum purchase commitments can create de facto exclusivity. If you commit to spending $500,000 per year with a vendor, the economic incentive to use competitors is substantially reduced. Minimum commitments should be sized conservatively, with a clear ramp schedule and flexibility provisions for material changes in your business.

Auto-renewal clauses are one of the most common sources of unintended vendor commitment. Businesses that intend to evaluate alternatives at contract renewal find themselves locked into another year (or more) because the cancellation notice deadline passed unnoticed.

The 90-day notice trap. The clause above requires 90 days' notice before the end of the term to avoid auto-renewal. For an annual contract, this means you must decide not to renew at the 9-month mark — while you may still have 3 months of service to evaluate and a natural inclination to defer the decision. Vendors structure these windows deliberately: the notice period is long enough that most buyers miss it, but short enough that it seems reasonable.

Renewal pricing. The clause above says nothing about pricing in renewal terms. Even if you locked in pricing for the initial term, an auto-renewal at "then-current list pricing" could expose you to significant price increases without any negotiation leverage — because by the time the renewal happens, you have technically already committed.

Multi-year auto-renewals. Some vendor agreements auto-renew for multi-year terms (two or three years), not just one. A missed cancellation window on a multi-year auto-renewal can commit your organization to three additional years of spending.

Enterprise agreements with consumption commits. In large enterprise SaaS agreements, the auto-renewal may also renew minimum consumption commitments, not just the base subscription. If your usage has declined below the committed level, you will be committed to paying for unused capacity again in the new term.

Calendar management. The practical solution to auto-renewal traps is process, not negotiation: maintain a contract renewal calendar that flags cancellation deadlines at 90, 60, and 30 days before the notice deadline. Many finance and legal teams now use contract lifecycle management (CLM) software to automate this process.

Termination clauses define the conditions under which either party can exit the agreement, the notice required, and — critically — the consequences of exit. Imbalanced termination rights are among the most common sources of leverage abuse in vendor relationships.

Termination for cause. The clause above provides for mutual termination for material breach with a 30-day cure period. This is standard. The key issues are: What constitutes a "material breach"? Must the breach be repeated before termination is available? Does a pattern of non-material breaches eventually become material?

Termination for convenience. Notably absent from the clause above: any right of the customer to terminate for convenience. Many vendor agreements allow the vendor to terminate for convenience on short notice but do not reciprocate that right to the customer. If the vendor terminates for convenience, you are left scrambling to find an alternative; if you want to exit for convenience, you cannot. Buyers should insist on a mutual termination-for-convenience right, typically with a 60–90 day notice period and, in longer contracts, a wind-down payment that compensates the vendor for transition costs without being punitive.

Termination for SLA failures. SLA remedies that consist only of service credits leave you contractually bound to a vendor who cannot perform. Negotiate an explicit right to terminate for cause (without penalty) if SLA failures exceed defined thresholds within a rolling period (e.g., two failures in any rolling 12-month period, or any failure exceeding 8 consecutive hours).

Transition obligations. What happens to your data and operations when the vendor relationship ends? The agreement should require the vendor to: (1) continue providing services through the notice period at current pricing; (2) provide data export in a usable format within 30 days of termination; (3) cooperate with transition to a successor vendor; and (4) continue providing access to historical data for a reasonable period (e.g., 90 days) post-termination.

Force majeure clauses excuse a party from performance when events beyond their control prevent them from fulfilling their contractual obligations. During COVID-19, force majeure clauses were invoked extensively, and the pandemic has prompted more careful attention to these provisions in all commercial contracts.

The scope of the carve-out. The clause above includes "internet service provider failures" and "third-party service provider outages" in its list of force majeure events. For a cloud software vendor, this creates a significant gap: if their cloud infrastructure provider (AWS, Azure, Google Cloud) goes down, the vendor is excused from performance and SLA obligations. Given that cloud outages are a foreseeable (and periodic) operational risk for any cloud vendor, allowing them to serve as force majeure events effectively means the vendor never bears the risk of cloud infrastructure failures.

Duration limits. Force majeure clauses should include a time limit. If a force majeure event persists for more than a defined period (e.g., 30 consecutive days), either party should have the right to terminate. Without a duration limit, a vendor who experiences a prolonged outage could claim force majeure indefinitely, leaving you unable to exit and unable to recover.

Mitigation obligations. Force majeure should not be a license to stop trying. Well-drafted clauses require the affected party to use commercially reasonable efforts to overcome or mitigate the force majeure event and to notify the other party promptly.

Payment obligations during force majeure. If the vendor is not delivering services due to force majeure, you should not be obligated to pay for those services. Vendors often include force majeure in SLA exclusions but do not correspondingly suspend payment obligations. The two provisions must be read together.

Vendor lock-in is not always the result of superior product quality — it is often engineered through contractual and technical mechanisms that make switching expensive even when a better alternative exists. Understanding these mechanisms is essential to negotiating contracts that preserve your operational flexibility.

Data portability restrictions. Vendors who store your data in proprietary formats, impose high export fees, or provide data exports only in non-standard formats are creating technical lock-in that the contract may reinforce. Watch for provisions that: (1) do not commit to exporting data in machine-readable, open formats (CSV, JSON, XML); (2) charge for data exports; (3) limit data exports to single-use downloads; or (4) fail to commit to export availability after termination.

Integration dependencies. Deeply integrated vendors — where their system connects to your ERP, CRM, HRIS, or core operational systems — become costly to replace not because of any contractual provision but because of the migration effort. Contracts should specify the vendor's obligation to maintain documented, stable APIs and to provide migration assistance.

Training and certification lock-in. Some enterprise vendors offer proprietary certifications and specialized training that create human capital lock-in: your team's expertise is specific to that vendor's platform and does not transfer to competitors. This is a particularly powerful retention mechanism for complex enterprise platforms.

Long contract terms. Multi-year initial terms (3, 5, or even 10 years) are a primary lock-in mechanism. The argument for long terms is typically pricing — vendors offer discounts for multi-year commitments. The calculation must weigh the discount against the cost of being locked in if the vendor's quality deteriorates, pricing increases, or a better alternative emerges. For most commercial relationships, 2-year initial terms with annual renewal rights strike the right balance.

Transition assistance (or its absence). A vendor who provides no contractual obligation to assist with transition effectively holds your operations hostage at contract end. The absence of explicit transition assistance is itself a lock-in mechanism — you know that switching will be painful, so you re-sign.

Not every clause in a vendor agreement is equally negotiable or equally important. Understanding where to focus your negotiation effort — and what to trade away — is the difference between an exhausting, unproductive negotiation and one that achieves meaningful protections efficiently.

Tier 1: Must-win provisions. These are non-negotiable from a risk management standpoint. Do not sign if you cannot get acceptable terms here:

- *Limitation of liability* — The combination of a 3-month cap and full consequential damages waiver creates unlimited downside exposure for you and near-zero accountability for the vendor. If the vendor cannot offer at least 12 months and carve-outs for data breach and IP infringement, that is a serious red flag about how they manage risk. - *Data handling and ownership* — Overbroad data use licenses and missing deletion obligations can create GDPR/CCPA compliance exposure and give the vendor rights you never intended to grant. - *IP ownership for custom work* — Any custom development you fund should belong to you. - *Auto-renewal with 90+ day notice* — This is a pure customer trap. Insist on 30 days.

Tier 2: Strong preference provisions. Push hard here; accept reasonable compromises:

- *SLA remedies* — Credits are insufficient; escalating remedies and termination rights for chronic failures are the goal. - *Price escalation caps* — Accept CPI-linked increases; reject uncapped unilateral increases. - *Termination for convenience* — Mutual, not one-sided. - *Force majeure scope* — Cloud infrastructure risks should not be the customer's problem.

Tier 3: Worth raising, not deal-breakers. Raise these in negotiation; accept compromise if the vendor resists:

- *Invoice dispute windows* — Request 45 days; accept 30. - *Late payment interest rates* — Propose prime rate + 2%; accept 12% APR. - *Exclusivity scope* — Narrow where possible; a complete rejection may not be feasible in certain supply arrangements.

The vendor's perspective. Understanding what vendors care most about helps you find mutually acceptable positions. Vendors typically care deeply about: their limitation of liability (their legal team has drawn a clear line here), payment timing, auto-renewal predictability (revenue forecasting), and IP ownership of their core platform. Less negotiated are: transition assistance, data portability, notice periods, and price escalation methodology. Use this asymmetry strategically.

Certain provisions and negotiation behaviors signal that a vendor is more interested in exploiting contractual leverage than building a fair commercial relationship. These red flags deserve careful attention before signing.

**Contractual red flags:**

*Unilateral amendment rights* — "Vendor may update these terms at any time by posting revised terms on its website." This provision, common in click-wrap agreements, effectively means you have no fixed terms — the vendor can change the deal at will. Insist on written notice and a right to terminate without penalty if you object to material changes.

*Uncapped price escalation with short notice* — The ability to raise prices by any amount with 30 days' notice, combined with technical or operational lock-in, creates a pricing stranglehold.

*Asymmetric indemnification* — The vendor is indemnified for claims arising from "Customer's use of the Services" with no reciprocal protection for the customer. When reading indemnification, ask: if the vendor's service causes a third-party problem, who pays?

*Governing law in a distant jurisdiction with mandatory arbitration in a specific city* — Requiring all disputes to be resolved by arbitration in a city where the vendor is headquartered, before an arbitrator the vendor nominates, creates procedural unfairness. Neutral venue and arbitrator selection process matter.

*Missing termination provisions for insolvency* — If the vendor files for bankruptcy, your contract may become an asset of the bankruptcy estate. The vendor's trustee may have the right to reject the contract (terminating your access) or assign it to a competitor. Explicit insolvency termination rights and data retrieval obligations are essential.

**Negotiation behavior red flags:**

*"This is our standard form and we can't change it"* — Every vendor has changed their standard form for a sufficiently valuable customer. This statement tells you they do not see you as a priority customer, not that the terms are immutable.

*Pressure to sign quickly* — Artificial urgency ("the discount expires at end of quarter") is a negotiation tactic, not a business reality. Legitimate urgency should be explained with specifics; artificial urgency is designed to prevent careful review.

*Excessive redline resistance on liability provisions* — Vendors who have experienced significant claims tend to have sophisticated positions on liability. Vendors who refuse any discussion of liability caps may be signaling awareness of specific risk areas they do not want to discuss.

Contract review addresses what the vendor has committed to on paper. Vendor due diligence addresses what the vendor is actually capable of delivering — and whether they are the kind of organization that will honor their commitments. Both are necessary.

Financial stability. Vendor insolvency is a serious operational risk. If a critical vendor files for bankruptcy, you may lose access to essential services with little warning. For significant vendors, review publicly available financial information: credit ratings, news coverage of financial difficulties, litigation filings, and any available financial statements. For private vendors, consider requesting a copy of their audited financials or a financial reference from a bank or significant customer.

Security posture. Request the vendor's most recent SOC 2 Type II report (or ISO 27001 certificate). Review the report's scope and findings — a SOC 2 with significant exceptions noted by the auditor is meaningfully worse than a clean report. If the vendor handles sensitive or regulated data, assess their HIPAA compliance (healthcare), PCI-DSS compliance (payment data), or FedRAMP status (government data).

References and customer retention. Ask for three references: a customer in your industry, a customer who has been with the vendor for more than three years, and a customer who has transitioned away from the vendor. The last category is the most revealing — how the vendor handles exit tells you more about their character than how they handle onboarding.

Subprocessor and subcontractor chain. For SaaS vendors, who actually delivers the service? Cloud infrastructure, payment processing, customer support, and security monitoring are commonly subcontracted. The vendor's DPA should list material subprocessors. Review whether any subprocessor introduces additional risk (e.g., a subprocessor in a jurisdiction with problematic data sovereignty laws).

Incident history. Request the vendor's incident history for the past 24 months, including any data breaches, significant outages, and regulatory actions. Review their public security notification page if one exists. Vendors who have experienced incidents and handled them transparently are preferable to vendors with a spotless claimed history that is simply not credible.

The Uniform Commercial Code (UCC), adopted in some form in all 50 U.S. states, provides a set of default rules that govern contracts for the sale of goods when the contract is silent on a particular issue. Understanding where UCC defaults apply — and where they may be overridden by contract — is relevant to any vendor agreement involving goods or software.

Article 2 and its application to software. UCC Article 2 governs contracts for the sale of "goods" — tangible, movable personal property. Its application to software licenses and SaaS agreements is unsettled and varies by jurisdiction. Some courts have applied Article 2 to software transactions (particularly perpetual licenses where software is delivered on physical media or by download); others have treated software licenses as hybrid transactions or pure services outside Article 2's scope. The practical consequence: in states that apply Article 2 to software, the UCC's default rules (including implied warranties) govern unless the contract expressly disclaims them.

The perfect tender rule. Under UCC § 2-601, for goods transactions, the buyer has the right to reject goods that fail in any respect to conform to the contract (the "perfect tender rule"). This is more protective than the "substantial performance" standard that applies to service contracts under common law. If Article 2 applies to your software transaction, you may have the right to reject delivery of nonconforming software in ways that would not be available under a pure services framework.

Battle of the forms (UCC § 2-207). When parties exchange standard purchase orders and acknowledgments with conflicting terms, the UCC's "battle of the forms" rules determine which terms govern. This situation arises frequently in goods procurement: you submit a purchase order with your standard terms; the vendor responds with an acknowledgment containing their standard terms. The UCC attempts to bridge these differences, but the result is often unpredictable. For significant transactions, ensure that a signed, negotiated agreement controls over any exchanged forms.

State-specific variations. While the UCC is "uniform" in the sense of providing a model code, states have adopted variations. Louisiana, in particular, has a civil law tradition and has not adopted Article 2. New York courts have developed a significant body of case law interpreting UCC provisions that may differ from the interpretations of other states. For multi-state vendor relationships, identify which state's law governs and understand whether that state's version of the UCC differs materially from the model code.

Engaging international vendors introduces legal and operational risks that do not exist in purely domestic vendor relationships. These risks require additional contractual protections beyond the standard clause review.

Governing law and jurisdiction. The clause above requires you to resolve disputes in the vendor's home country under the vendor's home country's law. This is problematic for multiple reasons. First, your legal counsel may not be familiar with the foreign legal system. Second, enforcing a judgment obtained in a foreign court in the U.S. (or vice versa) requires a separate legal proceeding. Third, the vendor's home country law may provide significantly less protection for commercial counterparties than U.S. law — particularly in jurisdictions with underdeveloped commercial law systems or limited judicial independence.

The CISG. For international sales of goods, the United Nations Convention on Contracts for the International Sale of Goods (CISG) applies automatically between parties in member countries unless expressly excluded. The CISG has different rules from the UCC on formation, warranties, and remedies. Most U.S. businesses exclude the CISG in international vendor agreements to preserve the predictability of their domestic legal framework.

Currency risk. Contracts denominated in a foreign currency expose you to exchange rate volatility. A contract priced in Euros or British Pounds will cost more in dollar terms if the dollar weakens. Consider: (1) invoicing in USD; (2) including a currency fluctuation clause that adjusts pricing if exchange rates move beyond a defined band; or (3) purchasing currency hedging instruments for significant long-term commitments.

Export controls and sanctions. U.S. export control regulations (EAR, ITAR) and sanctions programs (OFAC) may restrict the export of technology, software, or technical data to certain countries, entities, or individuals. Ensure vendor agreements confirm the vendor is not on any OFAC sanctions list and that the technology involved does not require export licenses that would be difficult to obtain or renew.

Data sovereignty and cross-border data flows. As noted in the data handling section, many jurisdictions restrict cross-border transfers of personal data. EU GDPR, China's PIPL, India's DPDP Act, and other data localization regimes impose specific requirements on data transferred internationally. Verify compliance before contracting with international vendors who will receive personal data.