When a Managed Services Provider begins a relationship with a new client, it is important they agree on certain terms and conditions by which business will be conducted. This is known as the Master Services Agreement (MSA). These are the foundational terms that all business will adhere to unless expressly superseded by a subsequent agreement. Our hosted Master Services agreement has been developed over 15 years of industry experience is designed to protect the MSP from a variety of liability risks.
Using our contracts-as-service platform, any Orders or Service Agreements signed by the client will refer to the MSA and indicate that the client acknowledges and reaffirms its terms and conditions. This is important as the MSA will change over time due to changes in the industry. Each time the client signs a new Order they are provided an opportunity to review the latest version of the MSA. If there are new terms and conditions the client cannot agree to, they should resolve those issues before proceeding with the order. With this solution, we are able to put all of the MSP’s customer on the same contract at all times.
There are several key provisions of our Master Services Agreement template that every Managed Service Provider should address at the start of a new relationship.
Managed Service Providers offer different varieties of service. These are specifically defined in Orders and Service Attachments. Most commonly, these define the monthly recurring services provided by the MSP. The MSA clarifies that, if any conflict between the language in the MSA and that in the Order or Service Attachment occurs, the language in the Order or Service attachment controls.
Additionally, MSPs provide "one-off", emergency, or project services that are outside the scope of any Order or Service Attachment. The MSA defines those services and explains the process by which those services will be contracted.
Our Master Services Agreement indicates that fees for services are defined within subsequent Orders or Statements of Work. In the absence, of an Order or SOW, the client agrees that services will be performed on a time and materials basis at current rates.
Our MSA template also defines exceptions whereby the MSP may adjust or charge additional fees. These include changes in the number of users or devices, surcharges, off-boarding, pass-through fees, and delays caused by the client.
Our MSA also defines escalators for the contract. The MSP reserves the right to increase fees at any time. The MSP may set a threshold over which the client has the option to terminate the contract without penalty.
Payment due dates and any penalties for late payment are articulated in the MSA as well. The MSP also reserves the right to suspend the delivery of services and withhold confidential information for non-payment by the client. The MSP may impose a "reactivation fee" to restore service.
All MSPs make use of third-party services in the delivery of the services they provide. These may include services from vendors such as Microsoft, Datto, Kaseya, and many others. Our MSA makes clear to the client that the MSP uses these services and that the MSP is not responsible for any acts or omissions of the third-party vendor. The client’s rights are governed by the third-party vendor's End User License Agreement (EULA) or Terms and Conditions. A schedule of third-party vendors, created last fall in the wake of the Kaseya ransomware attacks accompanies, the MSA as an attachment. Our Schedule of third-party service providers includes the name of the vendor, the service provided, and links to the vendors End User License Agreement and Privacy policies. The MSA instructs the client to review the policies of the third-party vendors. Most importantly it contains a clear and unequivocal waiver of the right to sue the MSP for any failure of a third-party service provider.
The term of the agreement is defined in the MSA. The term begins on the Order Effective date on the agreement and continues until the contract is terminated by either party. The MSA is an "evergreen" contract, meaning that it has no set expiration date. The MSA can be terminated at any time with or without cause by either party.
All subsequent Orders and Service Attachments will have their own term and termination clauses. Those clauses will have expiration dates and renewal language. Although the MSA can be terminated at any time, that does not terminate any Orders or Service Attachment agreements. By default, the terms and conditions of the MSA will remain in effect until all subsequent Orders or Service Attachments expire.
Managed Service Providers must protect their Intellectual Property (IP). In our MSA template, any writing or work of authorship created by the MSP or the client while providing the services, referred to as "Provider Work", is owned by the MSP. For any IP that resides on client’s devices, the MSP grants license to the client to use. That license automatically expires upon termination of the related Order or Service Attachment.
Likewise, the MSP may provide equipment and software required to perform the services they provide. Our MSA articulates that the ownership of the equipment and software remains with the MSP. Our MSA stipulates that the MSP may switch out equipment or software at their sole discretion. The MSA also states that all equipment will be returned and software removed when the agreement is terminated.
During a managed services relationship both the MSP and the client will inevitably encounter confidential or proprietary information belonging to the other party. Both parties agree in the MSA to keep that information in strict confidence.
Scott & Scott’s MSA defines what information is considered confidential such as passwords, audit and security reports, MSP pricing, configuration information, etc. Our MSA also defines what constitutes non-confidential information such as publicly available information, information either party possessed prior to the relationship, and information that must be disclosed pursuant to a court order or by law. The MSA itself is considered confidential information
In the MSP-Client relationship the client has certain obligations to assist the MSP in the delivery of service. The Client must agree to assist the MSP by providing adequate and timely access to the facilities and equipment and provide a suitable work environment for MSP personnel. This may also include assigning a dedicated point person or project manager as the interface. The client also agrees to perform simple procedures to assist in the diagnosis of issues including reboots and power downs.
The Client is responsible for providing remote access to the MSP via VPN to covered equipment. The client must maintain an environment suitable for the equipment housed including adequate cooling, electrical service, air circulation, and power surge protection.
The Client must agree to maintain proper licensing on all Software in use. The client will not use software that is no longer supported by the manufacturer. The client holds the MSP harmless for any damages caused by the use of unsupported software. Likewise, the client agrees to maintain warranties and maintenance agreements on all hardware. The MSP may designate equipment obsolete when it reaches end-of-life as specified by the manufacturer.
Although the MSP may implement security features as a part of the services they provide, it is ultimately the responsibility of the client to ensure the security of their network. Among other countermeasures, the client agrees to have a firewall in place, ensure the wireless network is encrypted, and the employees are trained on security awareness, and maintain physical security. The MSP is not responsible for any unauthorized access to the client's network. If a security service is included in the MSP's package of services, the MSP will make commercially reasonable efforts to secure the client's network against hackers and malicious activity. However, the client agrees that no security system can guaranty complete protection. The client agrees to hold the MSP harmless from loss, injury or damage to the client caused by malicious activities.
Though the MSP may offer backup and recovery services as part of their services package, it is the client's responsibility to maintain its own independent off-site backup of the data stored on their network. The client must verify that backups are made regularly. The MSP is not liable for any data loss due to a backup failure.
The MSP is not responsible for any criminal activity by hackers, phishers, crypto-locker, or others. The client agrees to either pay any ransom demands or hold the MSP harmless for any activity affecting network security. The client also agrees to ensure that an anti-virus solution is in place, updated, and properly licensed. The MSP is not responsible for harm caused by viruses or malware. The client agrees to pay any fees associated with the servicing or rebuilding of systems due to malicious activity or virus infection.
It is common for the MSP to provide password management services for the client. However, the client is responsible for the proper use of the password management system. The client must hold the MSP harmless from any loss or damage due to unauthorized access or the misuse of the password management system.