Writing Skill Files

---
name: contract-review
description: >
  Reviews inbound vendor agreements where the company is the customer.
  Covers SaaS subscriptions, professional services, infrastructure supply,
  and data processing agreements. Produces a structured review memo with
  risk assessment and recommended negotiation points. Use when reviewing
  a vendor contract or preparing for contract negotiation.
  Does not cover: employment, international contracts, regulated industries,
  NDAs (see NDA_REVIEW.md).
---

# Vendor Contract Review — Customer-Side

## Reader assumption
Output is read by a founder or ops lead, not a lawyer.
Plain English throughout. No legal jargon without explanation.

## Operating principles
- Optimize for fast, accurate risk triage and clear negotiation asks.
- Do not summarize every clause. Surface only what requires attention or a decision.
- Be consistent: use the negotiation posture library (Target / Fallback / Escalate).
- If customer data or production access is involved, treat Security/Privacy as Priority 1.

---

## Step 0: Intake context (must do before review)

Extract (or ask the requester if unknown):

- What are we buying: SaaS / professional services / infra / data / other
- Business criticality: Tier 1 (mission critical), Tier 2 (important), Tier 3 (nice-to-have)
- Data involved:
  - None
  - Internal business data only
  - Customer personal data
  - Sensitive data (health, biometrics, financial account data, etc.)
- System access:
  - SSO/SCIM admin access?
  - Production environment access?
  - Ability to export/ingest large datasets?
- Contract stack / documents:
  - MSA / subscription agreement
  - Order form(s)
  - SOW(s)
  - DPA
  - Security exhibit
  - AUP / acceptable use / online policies (URLs)
- Timeline and constraints:
  - Go-live date
  - Procurement budget / approval threshold
  - Any "must-have" requirements (SOC 2, SSO, data residency, etc.)

If any of the above is unknown, state "Unknown" and proceed, but flag that review confidence is reduced.

---

## Step 1: Classify the contract (structure + authority)

Identify contract type before clause review. Note:

- Contract type: SaaS subscription / services SOW / infra supply / DPA-only / hybrid
- Parties (legal names) and affiliates covered (does it cover subsidiaries?)
- Effective date, term, renewal term length, expiration date
- Governing law and jurisdiction / venue
- Whether companion documents exist (MSA + Order Form + DPA + SOW)
- Incorporation by reference:
  - List each incorporated policy/doc (including URLs) and whether vendor can update it
- Order of precedence:
  - Which doc wins in a conflict (MSA vs Order Form vs DPA vs online terms)

Immediate flags:
- Online terms/AUP/policies can be changed unilaterally and override negotiated terms
- Order of precedence puts online terms above the MSA/Order Form
- Vendor is "merchant of record" via clickwrap terms not provided in full

---

## Step 2: Extract core commercial terms (table always required)

Produce this table at the top of every memo:

| Field                      | Value |
|---------------------------|-------|
| Vendor                    |       |
| Contract type             |       |
| Business criticality tier | Tier 1 / Tier 2 / Tier 3 |
| Data involved             | None / Internal / Customer personal / Sensitive |
| System access             | None / SSO/SCIM / Admin / Production |
| Term                      |       |
| Auto-renewal              | Yes/No — notice period required |
| Auto-renewal deadline     | [calculated date, not just "X days before"] |
| Renewal term length       |       |
| Fees (annual + one-time)  |       |
| Usage metric + overages   |       |
| Payment terms             |       |
| Late fees                 |       |
| Fee escalation / renewal pricing |       |
| Taxes / invoicing         |       |
| Refunds on termination    |       |
| Governing law             |       |
| Effective date            |       |

Calculate the auto-renewal deadline using the stated contract dates. If dates are missing, state what you would need to calculate it.

Immediate flags (commercial):
- Auto-renewal notice window fewer than 60 days (or unclear)
- Payment terms Net 15 or faster, or "due on receipt"
- Late fees above 1.5% per month or compounding penalties
- "Then-current rates" at renewal with no cap or price protection
- Usage metric is vague or vendor-controlled with no auditability
- Overage pricing is uncapped or undefined

---

## Step 3: Review clauses in priority order

### Priority 1 — Flag and escalate (high-impact / high-likelihood)

For each item found: capture section number + 1–2 sentence quote + plain-English risk + recommended ask.

1) Liability (cap structure + carve-outs + symmetry)

- Find limitation of liability and exclusions of damages.

Flag if:
- Customer is uncapped but vendor is capped (asymmetry)
- Cap is functionally toothless (e.g., 1–3 months fees for a Tier 1 system)
- Vendor excludes all meaningful remedies (overbroad consequential damages + no direct damage path)
- Vendor's indemnity obligations are inside a tiny cap without any supercap for high-risk areas (especially security/privacy)

Also note:
- Is the cap "fees paid" vs "fees payable"? Does it include one-time fees? Are affiliates included?
- Are there carve-outs that are uncapped or supercapped (IP infringement, confidentiality breach, security incident)?

2) Data use restrictions (including AI/ML)

Flag if:
- Vendor can use customer data for purposes beyond providing/supporting the service (e.g., "improve products" broadly)
- Vendor can train models on customer data by default (no opt-in)
- Prompts/inputs/outputs are excluded from confidentiality or treated as vendor data
- Data retention is indefinite or not addressed

3) Security + breach notification + subprocessors

Flag if:
- No security commitments (or only "commercially reasonable" with no exhibit/controls)
- No defined breach notification obligation, or notice timing is vague/unbounded
- Vendor can use subprocessors without disclosure/flow-down obligations
- No obligation to maintain a security program appropriate to the data/access level

If data involved is customer personal or sensitive, treat this as non-negotiable unless leadership accepts the risk.

4) IP ownership / work product / deliverables

Flag if vendor claims ownership of:
- Customer data, derived data that identifies the customer, or customer-specific outputs
- Work product created for the customer under an SOW (unless clearly vendor pre-existing materials)
- Custom configurations, integrations, or deliverables that the customer paid for (services context)

For AI/ML vendors: specifically flag claims over outputs and any license back from customer to vendor.

5) Unilateral modification rights (pricing/terms/service levels)

Flag if vendor can change:
- Pricing, metrics, or fee structure unilaterally
- Material terms via updated policies with short notice (under 30 days) or no notice
- SLAs without customer consent

6) Suspension / termination by vendor

Flag if:
- Vendor can suspend/terminate for convenience, or for broad reasons, without a cure period
- Suspension rights are not limited to security/legal necessity
- Vendor can suspend for "suspected" issues without notice and escalation steps

7) Auto-renewal traps

Flag if:
- Cancellation notice fewer than 60 days
- Renewal term length is long (e.g., 12–36 months) with no termination flexibility
- Renewal happens at "then-current" pricing with no cap

8) Dispute resolution (arbitration, venue, class action waiver)

Flag if:
- Mandatory arbitration is required
- Venue is outside a major U.S. city and creates practical burden
- Class action waiver exists (note it, and escalate if company policy disallows)

9) Order of precedence / incorporated documents

Flag if:
- Online policies/AUP can override negotiated terms
- "Clickwrap" terms bind the customer without being attached
- Vendor can update incorporated documents unilaterally with no customer remedy

---

### Priority 2 — Note and recommend negotiation (important, often fixable)

1) Termination for convenience (customer-side)

- Can the company terminate without cause?
- Notice required?

Flag if:
- Absent entirely for multi-year deals (especially Tier 2/3)
- Notice exceeds 90 days
- No refund/credit for prepaid unused fees after termination (where commercially reasonable)

2) SLA, support, and remedies

- Uptime commitment (if any)
- Support response times (severity-based)
- Remedies for SLA breach

Flag if:
- Uptime below 99.5% for Tier 1 SaaS
- Remedies are service credits only with no termination right for chronic failure
- No defined support commitments for Tier 1 systems

3) Indemnification (scope + balance)

Note who indemnifies whom and for what. Flag if:
- Vendor does not provide IP infringement indemnity for the service/deliverables (software context)
- Customer indemnifies vendor broadly (beyond customer content misuse)
- Indemnity exclusions are too broad (e.g., "any combination" in a way that defeats the protection)

4) Warranty / performance commitment

Flag if:
- No commitment the service will perform materially in accordance with documentation
- All warranties are disclaimed with no meaningful performance standard

5) Data ownership + portability on exit

Confirm:
- Customer owns customer data
- Export available in a usable format
- Reasonable assistance for migration (especially Tier 1)

Flag if absent or ambiguous.

6) Audit rights (security/compliance)

If Tier 1 or customer personal/sensitive data:
- Look for SOC 2 reports, audit summaries, or customer audit rights

Flag if:
- No ability to obtain reasonable security documentation
- Customer cannot verify controls in any form

7) Insurance

Note if vendor maintains:
- Cyber liability (if data/access risk)
- General/professional liability

Flag if absent for higher-risk vendors.

8) Assignment / change of control

Flag if:
- Vendor can assign to anyone without notice
- Customer cannot assign to affiliates or in connection with a reorg/M&A

9) Publicity / logo use

Flag if vendor can use the company name/logo without consent.

10) Fees: escalation and metric changes

Flag if:
- CPI+ is not defined, or increases are uncapped
- Vendor can change usage definitions mid-term

---

### Priority 3 — Record only (unless obviously problematic)

- Notice requirements (method, address, timing)
- Confidentiality survival term
- Force majeure scope
- Export controls and sanctions boilerplate
- Non-solicit (services) if narrow and time-limited

---

## Step 4: Produce the review memo

### Required structure

1) Header
- Vendor
- Contract type + documents reviewed
- Date reviewed
- Reviewer confidence: High / Medium / Low (based on completeness of documents)

2) Executive summary (3–6 sentences)
- Overall risk level: Low / Medium / High
- One-sentence "decision needed": sign / negotiate / escalate to counsel
- Primary risks (top 2–3)
- Commercial note: renewal risk + pricing risk in one sentence

3) Top negotiation asks (max 5)

For each ask:
- Ask (what we want changed)
- Why it matters (1 sentence)
- Target / Fallback / Escalate

4) Flagged items (Priority 1 then Priority 2)

For each item:
- Section reference
- 1–2 sentence quote (no long blocks)
- Plain-English explanation
- Recommended change (use Target/Fallback/Escalate)

5) Commercial terms table (from Step 2)

6) Items not found (absence is risk)

List any Priority 1 and Priority 2 clauses not found or not addressed.
Example: "No DPA / no breach notice / no uptime SLA / no IP indemnity."

### Output standards
- State risk level directly. Do not hedge every item into equal importance.
- If a clause is genuinely ambiguous and interpretation matters, say so and recommend counsel review.
- Do not include a disclaimer in the body of the memo.

---

## Negotiation posture library (use consistently)

Use these default positions unless the requester provides different ones.

### Liability
- Target: Mutual cap = 12 months of fees paid/payable under the order form; direct damages only; reasonable exclusions.
- Fallback: Mutual cap = 24 months; or supercap for security/privacy = 2x annual fees.
- Escalate: Customer uncapped while vendor capped; cap < 6 months for Tier 1; no meaningful remedy for security/privacy.

### Security + breach notice
- Target: Defined security program + security exhibit; breach notice within 72 hours of confirmed incident impacting customer data; subprocessors disclosed and bound.
- Fallback: 5 business days for notice if vendor insists; annual SOC 2 report or equivalent summary.
- Escalate: No breach notice obligation; vendor refuses any security commitments while handling customer personal/sensitive data.

### Data use / AI training
- Target: Use limited to providing/supporting service; no AI training on customer data by default (opt-in only); prompts/inputs/outputs treated as confidential.
- Fallback: Training allowed only on de-identified/aggregated data with explicit written opt-in and the ability to disable.
- Escalate: Vendor claims broad rights to use/train on identifiable customer data or refuses confidentiality coverage.

### IP / work product
- Target: Customer owns customer data; vendor owns pre-existing IP; customer owns (or receives broad perpetual license to) paid-for deliverables; outputs usable by customer.
- Fallback: Vendor retains ownership but grants customer perpetual, irrevocable, worldwide license for internal use and to maintain/modify.
- Escalate: Vendor claims ownership of customer data or customer-specific outputs; restricts customer's ability to use deliverables.

### Unilateral changes / online terms
- Target: No unilateral changes to pricing/metrics/material terms; policy changes require notice and customer right to terminate if materially adverse.
- Fallback: 30–60 days notice + termination right for material adverse changes.
- Escalate: Vendor can change pricing/terms unilaterally with short/no notice and no customer remedy.

### Termination and renewal
- Target: No auto-renew, or at least 60 days notice window; customer termination for convenience with 30 days notice for Tier 2/3.
- Fallback: Auto-renew with 60–90 days notice; termination for convenience only at renewal or after initial term.
- Escalate: Short cancellation window + long renewal terms + "then-current" pricing with no cap.

### SLA / remedies
- Target: 99.9% (Tier 1) / 99.5% (Tier 2) uptime; service credits plus termination right for chronic failure.
- Fallback: Credits-only if generous and paired with escalation/support commitments.
- Escalate: No SLA for Tier 1 service; remedy so limited it's meaningless.

### Indemnity
- Target: Vendor IP infringement indemnity for service/deliverables; customer indemnity limited to customer content misuse.
- Fallback: IP indemnity inside cap if cap is increased appropriately.
- Escalate: No vendor IP indemnity for software; customer broadly indemnifies vendor.

---

## Clause keywords (review efficiency helpers)

Use these keywords to find relevant clauses quickly:

- liability, limitation of liability, exclusion of damages, consequential, indirect
- indemnify, defense, infringement, intellectual property
- data, customer data, usage data, telemetry, analytics, de-identified, aggregated
- security, safeguards, incident, breach, notification, subprocessors, audit, SOC 2
- AI, machine learning, model, training, prompts, outputs, improve services
- renewal, auto-renew, term, cancellation, notice period
- suspension, termination, cure period
- order of precedence, incorporation by reference, acceptable use, policies