Checklist · 8 min · For Owners

The 12 sections of a complete agreement

A well-written MSP agreement is short, specific, and unambiguous. Twelve sections cover the territory; if your draft is missing any of them, the missing piece is exactly where the dispute will happen later.

1. Scope of services

Exactly what the MSP does and doesn't do. Endpoint management. Mailbox management. Network management. After-hours response. Project work (and how it's quoted separately). The scope should reference the named services (Managed Endpoint, Managed Inbox, Managed Site) and a specific feature list. "Comprehensive IT support" is not a scope.

2. Service Level Agreements (SLAs)

Measurable response and resolution times, by severity. Typical SLA matrix: P1 (business down) — response in 15 minutes, resolution same business day; P2 (one user blocked) — response in 1 business hour, resolution next business day; P3 (request) — response in 2 business hours, resolution within a week. Plus the time-to-isolate SLA for security events (15–30 minutes).

3. Pricing and billing

The recurring rate broken out by service (per device, per mailbox, per location, etc.), what's included at each, what's an add-on, and the billing cadence (monthly, in advance vs. arrears). Plus the change procedure when device, mailbox, or location counts change between billing periods.

4. Contract term and renewal

Initial term (usually 12 months). Auto-renewal terms. Notice to end (usually 60 or 90 days). Early-termination fee if applicable. The notice-window math is where contracts trap clients — read this section twice.

5. Change-management process

How scope changes get added to the agreement — new locations, new SaaS apps brought into management, new compliance scope. Written change orders, signed by both sides, with the recurring or one-time cost specified.

6. Security obligations

The specific security controls the MSP is responsible for deploying and operating (MFA enforcement, EDR coverage, patch SLA, backup retention and restore testing, DNS filtering, the SOC). And the controls that stay on the client (training completion, BAAs with non-MSP vendors, designating the HIPAA Security Officer or GLBA Qualified Individual, signing off on policy updates). If the agreement is silent on security, the security work is also informal.

7. Regulatory annexes

For HIPAA-covered entities: a signed Business Associate Agreement. For GLBA-covered financial institutions: a vendor risk addendum. For municipalities with law enforcement: a CJIS rider. For PCI-scoped retailers: a responsibility matrix mapping which requirements the MSP handles and which the client does. The annexes are usually their own documents attached to the master agreement.

8. Data handling and confidentiality

What data the MSP touches, where it lives, how it's encrypted, who at the MSP has access, and what happens to MSP-held operational data when the agreement ends. This is the section your insurance carrier and any compliance reviewer will read.

9. Limitation of liability

The cap on the MSP's liability if something goes wrong. Often a multiple of the prior 12 months of fees, with carve-outs for gross negligence and willful misconduct. Cyber-insurance coverage on the MSP side complements this — verify the MSP carries cyber liability and ask for the certificate of insurance.

10. Insurance requirements

What insurance the MSP carries (cyber liability, E&O, general liability). What insurance the MSP requires you to maintain. The named-additional-insured clauses on either side. The certificates of insurance refresh annually.

11. Termination and offboarding

The mechanics of ending the agreement: notice period, return of credentials and configurations at no charge, removal of MSP admin access, deletion of MSP-held operational data per client instruction, a transition meeting with the incoming provider. Offboarding charges (if any) should be specified before you sign — not negotiated after you give notice.

12. Appendix: covered assets

The list of every endpoint, mailbox, location, server, and add-on the agreement covers, at the rate specified. Updated by the change-management process when assets are added or removed. This is the source of truth for billing.

The five lines worth questioning before you sign

  1. Notice to terminate. 60 days is reasonable. 90 is the upper end of normal. If it's 6 months, ask why — sometimes that's a flag.
  2. Price-increase clause. Some agreements allow the MSP to increase rates with 30 days' notice. Cap the annual increase (CPI or 3%, whichever is greater, is a typical compromise).
  3. Offboarding charges. If they exist, they're in the contract. "We'll figure it out at the end" is the wrong answer.
  4. Right to assign. What happens if the MSP is acquired or merges? The contract usually allows assignment; you may want a notice or consent requirement.
  5. Dispute resolution. Venue and governing law. For a small business contracting with a regional MSP, this usually defaults to the MSP's home state — that's fine, but read it.

What red-flag agreements look like

How a Micro-IT agreement is structured

Standard 12-month term with auto-renewal. 90-day notice to end after the first term, with no offboarding fees if you finish out the contract. All twelve sections above are present in the master services agreement; the BAA (for healthcare clients) is a signed annex on contract day. Pricing matches the live estimate on the pricing page line for line. The full security obligation is mapped to the security page stack. We're happy to send the master agreement template before any signature for review by your attorney.

Frequently asked questions

What's typically in a managed IT services contract?
A complete MSP contract has 12 sections: scope of services, defined SLAs, pricing and billing terms, contract term and renewal, change-management process, security obligations (MFA, EDR, backup, patching), regulatory annexes (BAA for healthcare, GLBA addendum for finance), data-handling and confidentiality, limitation of liability, insurance requirements, termination and offboarding, and the appendix listing covered endpoints, mailboxes, locations, and add-ons.
What contract length is normal for a managed IT agreement?
Most managed IT agreements run 12 to 36 months. 12 months is the common starting point, often with auto-renewal and a 60- or 90-day notice to end. Longer terms sometimes come with discount tiers; ask what the give-back is if you're committing to 36 months instead of 12.
What SLAs should be in writing?
At minimum: response time on tickets (usually 1 business hour), resolution time targets by severity (P1 same business day, P2 next business day, P3 within a week), after-hours emergency response (if included), uptime targets for managed infrastructure, and the time-to-isolate SLA on the security side (often 15–30 minutes). All measurable, all in the agreement.
What should the offboarding terms say?
Three things: (1) the MSP returns credentials, configurations, recovery keys, and documentation at no cost at the end of the agreement; (2) data the MSP holds operationally (RMM agent data, ticket history, backup configs) is removed or returned per your instruction; (3) a transition meeting with your incoming provider is included. Offboarding charges, if any, should be specified before you sign — not after you give notice.
Should the MSP have a written security obligation in the contract?
Yes. The contract should specify the security controls the MSP is responsible for (MFA enforcement, EDR coverage, patch SLA, backup retention, restore-test cadence), the controls the client is responsible for (training completion, vendor BAAs the client signs, etc.), the breach-notification timeline, and the cyber-insurance the MSP carries. If the contract is silent on security, the security work is also informal.

Related reading