Consulting Agreement for Technology & SaaS

The unique risks of tech/SaaS consulting

Three risks define tech and SaaS consulting. First, IP ownership defaults. Under 17 USC 201(a), copyright vests initially in the author — i.e., the consultant, not the company. The work-made-for-hire doctrine at 17 USC 101 only flips that default if the work fits one of nine narrow categories (none of which clearly includes generic software) AND the parties signed a written agreement. The Community for Creative Non-Violence v. Reid (490 U.S. 730, 1989) test is the controlling precedent. Without an express written assignment (and a present-assignment backup like "Consultant hereby assigns to Company all right, title, and interest..."), the company has a license, not ownership — meaning it cannot stop the consultant from reusing the code with a competitor.

Second, misclassification. The IRS three-factor test (behavioral, financial, relationship), the DOL economic-realities test (DOL 2024 Final Rule effective March 11, 2024), California's ABC test under Labor Code 2750.3 (post-Dynamex/AB 5), and Massachusetts and New Jersey's stricter variants converge on the same answer when a "consultant" works 40 hours/week exclusively for one company, uses company email and laptops, attends standups, and reports to a manager: that's an employee. Misclassification creates back-wage, overtime, benefit, payroll-tax, and unemployment-insurance exposure with statutes of limitations of 3–8 years. The IRS Section 530 safe harbor and SS-8 procedures help, but only with consistent treatment.

Third, customer flow-downs. Your enterprise customers' MSAs almost always include vendor management requirements (subprocessor approval, SOC 2 audit rights, GDPR Art. 28 processor obligations, CCPA service-provider contract requirements at Cal. Civ. Code 1798.140(ag) and 1798.100(d), incident notification SLAs). If the consultant touches customer data, those flow-downs apply. A consulting agreement that does not mirror them puts the company in breach of its own subscription terms.

Fourth, AI training data and outputs. The EU AI Act (Regulation 2024/1689, OJ L 2024/1689) entered force August 1, 2024 with phased compliance: prohibited practices since February 2, 2025; GPAI provider obligations since August 2, 2025; high-risk AI systems August 2026; full compliance August 2027. Recent US cases (Thomson Reuters v. Ross Intelligence, 2025) and the ongoing Andersen v. Stability AI, Concord Music Group v. Anthropic, NY Times v. OpenAI litigation are reshaping training data rights. Consultants who use AI coding tools, train models on customer data, or build LLM features need explicit contract terms.

Industry-specific clauses to include

• Express IP Assignment + Present Assignment + WMFH Backup: "All Deliverables are works made for hire under 17 USC 101 to the extent permitted; to the extent any Deliverable does not so qualify, Consultant hereby presently irrevocably assigns to Company all right, title, and interest, including all copyrights, patents, trademarks, and trade secrets." The triple structure handles the WMFH category gap.
• Background IP Carve-Out with License-Back: Consultant identifies in Schedule A any pre-existing tools, libraries, scripts, or methodology incorporated into Deliverables; Consultant grants Company a perpetual, worldwide, royalty-free license to use the Background IP within the Deliverables.
• Open-Source License Compliance: Consultant warrants no copyleft (GPL, AGPL, LGPL, EPL, SSPL) or other restrictive-license code is incorporated into Deliverables without prior written approval; provides SBOM (software bill of materials) per Executive Order 14028 / NTIA Minimum Elements for any production deliverable.
• AI Tool Use Disclosure: Consultant discloses use of code-generation AI (GitHub Copilot, Cursor, Codeium, Claude, ChatGPT, etc.); warrants outputs do not infringe third-party IP; for customer-data or proprietary-code inputs, uses only enterprise tier with zero retention and no training on inputs (e.g., GitHub Copilot Business, ChatGPT Enterprise, Anthropic API with default no-training, Cursor Privacy Mode).
• Independent Contractor + Multi-Factor Test Acknowledgement: Consultant acknowledges IRS three-factor, DOL economic-realities (DOL Final Rule 89 FR 1638, effective March 11, 2024), and applicable state ABC test (Cal. Labor Code 2750.3, MA c.149 §148B, NJ ABC); not entitled to benefits, withholding, or workers' comp; uses own equipment and methods.
• Production Access & Least Privilege: All access via named SSO accounts with MFA; no shared credentials; no production write access without written change-management approval; logging and audit trail retained for 12 months; immediate revocation at termination.
• Customer Data DPA / Service-Provider Terms: Where consultant processes personal data, the agreement incorporates GDPR Art. 28 processor obligations, CCPA "service provider" language at Cal. Civ. Code 1798.140(ag), and SCCs Module 3 (controller-to-processor) for any EU-to-US transfer; mirrors the customer-facing DPA.
• Security Incident SLA: Consultant notifies company within 24 hours of suspected unauthorized access, data exfiltration, or material vulnerability discovery; supports company's 72-hour GDPR Art. 33 supervisory authority notification clock and applicable state breach laws.
• SOC 2 / ISO 27001 Vendor Management Support: Consultant completes annual security questionnaire (SIG, CAIQ, or company's own); maintains current SOC 2 Type II or equivalent attestation if scope warrants; supports company's auditor walkthrough on request.
• Non-Solicitation (12 months, narrowly drafted): No solicitation of employees or contractors of company; no solicitation of customers for competing services; carved-back to permit general advertisements and post-public departures. Avoid broad non-competes — the FTC Non-Compete Rule (16 CFR 910) was vacated nationwide by Ryan LLC v. FTC (N.D. Tex. August 2024) but California Business & Professions Code 16600 still voids most employee non-competes, and the 2024 Minnesota and 2023 New York legislation tightens them further.
• Export Controls & Sanctions: Consultant complies with EAR (15 CFR 730-774) for any deemed-export technology release to foreign persons, including the May 2024 EAR rule updates on advanced computing; warrants no consultant or subcontractor on OFAC SDN list or in comprehensively sanctioned jurisdictions (Cuba, Iran, North Korea, Syria, Crimea, DNR/LNR).

Common mistakes in tech/SaaS consulting agreements

• Bare "work for hire" language without present assignment. WMFH only operates for specially commissioned works fitting nine 17 USC 101 categories. Standard SaaS code does not clearly fit. Without the backup present assignment, you have a license, not ownership.
• Putting a "contractor" on payroll-like full-time hours. California, Massachusetts, New Jersey, and Illinois' ABC tests make most full-time-equivalent contractors functionally misclassified. The 1099 is not a defense if the relationship doesn't fit.
• No AI tool disclosure. The consultant feeding your proprietary code into ChatGPT's consumer tier just gave OpenAI a license to train on it (per the consumer ToS as of mid-2026, depending on opt-out). Require enterprise tier with no-training settings.
• Generic "comply with applicable law" instead of named statutes. Customer auditors and acquirers want to see GDPR Art. 28, CCPA service-provider, SCCs Module 3, and applicable HIPAA BAA / GLBA language called out. Vague language fails diligence.
• Forgetting copyleft scan. An unattributed AGPL snippet pulled into production can contaminate proprietary code under the strongest reading. Require SBOM and license scan as a deliverable acceptance criterion.
• Broad non-compete that won't survive state law. California voids them outright under Bus & Prof Code 16600; many other states limit duration and geography. Use narrow non-solicit + confidentiality + no-hire instead.
• No SOC 2 vendor-management language for a vendor who can touch customer data. Your customers' MSAs almost certainly require it. Skipping it puts you in breach of your subscription terms.

Regulatory landscape

IP: Copyright Act (17 USC) with 201(a) (vesting) and 101 (WMFH definition); Patent Act (35 USC) with 261 (assignability); Defend Trade Secrets Act (18 USC 1836) and state UTSA; Computer Fraud and Abuse Act (18 USC 1030) for unauthorized access. DMCA (17 USC 1201) anti-circumvention. Open source: GPL/LGPL/AGPL (FSF), Apache 2.0, MIT, BSD-3, MPL 2.0, with the AGPL and SSPL creating the broadest reach-through obligations.

Privacy & security: California CCPA/CPRA (Cal. Civ. Code 1798.100 et seq.) including the 2023 CPRA Reg amendments and 2024 cybersecurity audit / risk assessment / ADMT regulations finalized December 2024; Colorado CPA (CRS 6-1-1301), Virginia VCDPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA (effective July 1, 2024), Oregon OCPA (effective July 1, 2024), and 16+ other state comprehensive privacy laws; GDPR (Reg. 2016/679); UK GDPR; ePrivacy Directive for cookies; CalOPPA for online privacy notices; COPPA for under-13s; HIPAA for PHI; GLBA for financial NPI; FTC Act Section 5 for unfair or deceptive practices. SCCs (EU 2021/914) for international transfers; UK IDTA for UK transfers.

Security: NIST CSF 2.0 (Feb 2024); NIST SP 800-53 Rev. 5; SOC 2 (AICPA TSC 2017, revised 2022); ISO/IEC 27001:2022; PCI DSS v4.0.1 (effective March 31, 2025); Executive Order 14028 (May 2021) and the resulting NIST Secure Software Development Framework (SSDF) NIST SP 800-218; FedRAMP for federal customers; StateRAMP for state. SBOM: NTIA Minimum Elements for an SBOM (July 2021); CISA SBOM guidance.

AI: EU AI Act (Regulation 2024/1689) with prohibited practices since Feb 2, 2025, GPAI obligations since Aug 2, 2025, high-risk AI Aug 2, 2026, full compliance Aug 2, 2027; NIST AI Risk Management Framework (AI RMF 1.0); Colorado AI Act (SB 24-205 effective Feb 1, 2026); California's AI bills (SB 1047 vetoed; AB 2013 training-data transparency effective Jan 1, 2026; SB 942 AI Transparency Act effective Jan 1, 2026). Executive Order on AI (EO 14110) was rescinded by EO 14148 in January 2025 — replaced by the new administration's AI policy.

Labor: FLSA (29 USC 201 et seq.) and DOL 2024 Independent Contractor Final Rule (89 FR 1638, March 11, 2024); IRS three-factor test and SS-8 procedures; ERISA for benefits exposure; California Labor Code 2750.3 (AB 5); MA c.149 §148B; NJ ABC test (Hargrove v. Sleepy's). FTC Non-Compete Rule (16 CFR 910) vacated August 2024 by Ryan LLC v. FTC (N.D. Tex.); state non-compete laws still apply, including California Bus & Prof Code 16600 (broadly voids non-competes) and the September 2024 California amendments (SB 699, AB 1076) requiring employer notice.

Sample fee structure

US tech/SaaS consulting fee benchmarks for 2025–2026:

• Senior engineer (5–10 yr experience): $125–$250/hour; or $20,000–$40,000/month for full-time-equivalent.
• Staff / principal engineer: $200–$450/hour; or $30,000–$60,000/month FTE.
• Fractional CTO / VP Engineering: $10,000–$25,000/month for 20–40 hours; $400–$700/hour for project work.
• Product management consultant: $150–$350/hour; fractional $8,000–$20,000/month.
• AI/ML engineer or LLM systems consultant: $200–$600/hour; specialized researchers and fine-tuning experts $500–$1,200/hour.
• SOC 2 readiness consultant: $30,000–$120,000 flat-fee for Type II readiness over 4–6 months; auditor fees separate ($25,000–$80,000).
• ISO 27001 readiness: $40,000–$150,000 over 6–9 months; certification body fees separate.
• HIPAA Security Risk Assessment (per 45 CFR 164.308(a)(1)(ii)(A)): $10,000–$45,000.
• GDPR/CCPA privacy program build: $30,000–$120,000 fixed-fee.
• Penetration test (external, web, mobile): $15,000–$60,000 per scope; PCI-scoped $25,000–$80,000.
• Big Four / strategy consultancy (Bain, McKinsey, BCG, Deloitte): day rates $3,500–$8,000 for senior managers; full team engagements $200,000–$2M+ per quarter.

For early-stage startups, equity compensation in lieu of cash is common — typically 0.1%–0.5% NSOs vesting over 1–4 years. Tax treatment depends on whether the consultant is treated as a contractor (1099-NEC + IRC Section 83(b) election timing) or an employee. Get cap-table and tax counsel involved before issuing.

How to draft this in Word with LexDraft

Open the LexDraft add-in inside Word and start from the consulting agreement template, then insert the express IP assignment + present-assignment + WMFH triple, open-source compliance, AI tool disclosure, and SOC 2 vendor-management clauses from the clause library. Where the consultant will process customer personal data, layer in GDPR Art. 28 / CCPA service-provider language matching the customer-facing DPA. For early-stage product discussions with a potential acquirer, investor, or technology partner, the NDA template covers pre-engagement confidentiality. The broader templates library cover how the pieces fit. Comparing drafting tools? See LexDraft vs Spellbook.

Frequently asked questions