Service Agreement / Master Services Agreement Template
A services agreement governs how one business delivers ongoing or project-based services to another. This template uses the modern MSA + SOW architecture, with enforceable SLAs and service credits, a calibrated liability cap with carve-outs for confidentiality and data-breach exposure, present-tense IP assignment for custom deliverables, and the auto-renewal mechanics that survive the 2024 FTC Negative Option Rule.
Draft an MSA in WordDownload Free Template
Professional Service Agreement Template (.docx) with LexDraft branding
What a services agreement actually does
A services agreement is the commercial contract that governs ongoing or project-based service delivery between two businesses. Its job is to allocate four sets of risks: (i) scope and performance — what gets delivered, on what schedule, to what standard; (ii) payment — fees, invoicing cadence, payment timing, dispute mechanics; (iii) liability and indemnity — what happens when something breaks, infringes, or leaks; and (iv) termination economics — how the relationship ends and who owes what at the exit. The modern best-practice structure is a Master Services Agreement (MSA) governing the commercial framework, signed once, with project-specific Statements of Work (SOWs) stacked underneath. This separates the legal terms from the commercial terms and lets the relationship grow without renegotiating the master each time.
Why bespoke service agreements per project don't scale
A one-off services agreement for each engagement triples the cycle time (procurement re-reviews the entire template), creates inconsistency between engagements (different liability caps, different IP rules), and exposes the provider to whichever set of terms wins the cherry-pick fight in litigation. The MSA + SOW architecture is the single biggest legal-ops improvement most service businesses can make.
Specific scenarios this template covers
- Recurring managed services (IT, security, payroll, bookkeeping): MSA plus a recurring-fee SOW with SLA, service credits, defined response times, and 60-day auto-renewal with notice. Include cyber-liability insurance requirement.
- Custom software development: MSA plus per-project SOWs with milestone-based payment, written acceptance criteria, present-tense IP assignment, and source-code escrow if the deliverable is mission-critical.
- Marketing and creative agencies: MSA plus per-campaign SOWs with kill fee, FTC endorsement-guide compliance recital, and licensing carve-outs for stock media and consumer right-of-publicity issues.
- Construction and trades (small): Modified MSA with state-specific contractor licensing recitals, lien waiver mechanics, and mechanic's-lien-statute-compliant payment schedule. For large construction, use AIA or ConsensusDocs forms instead.
- BPO / outsourcing: MSA plus an SOW with detailed transition-in/transition-out plans, KPIs and earn-back, and a step-in right for the client on chronic SLA failure.
- White-label/reseller arrangements: MSA with a license grant, branding rules, end-customer minimum terms, and an audit right on the reseller's books for revenue-share verification.
Clauses that decide whether the services agreement is enforceable
Services and SOW structure
The MSA references SOWs by attachment; each SOW defines the specific engagement. Conflict-resolution clause is critical because SOWs almost always include some commercial terms that creep into legal territory.
"Provider shall perform the services described in each Statement of Work signed by the parties (each, an 'SOW'). Each SOW is governed by this Agreement and is incorporated herein by reference. In the event of conflict between this Agreement and an SOW, this Agreement controls, except for commercial terms (fees, schedule, scope) expressly set forth in the SOW, which control over any conflicting terms in this Agreement."
Pitfall: Without the conflict-resolution clause, a junior SOW signed by a sales team can quietly override the carefully negotiated MSA. The carve-out for "commercial terms" lets the SOW vary fees and schedule without breaking the legal framework.
Service Level Agreement and service credits
Defines availability, response time, support hours, and the measurement methodology. Service credits should be the client's sole and exclusive remedy for SLA breach, capped at monthly fees, with a chronic-failure termination trigger.
"Provider shall provide the Services with monthly availability of 99.9%, measured as ((Total Minutes - Excluded Minutes - Downtime Minutes) / (Total Minutes - Excluded Minutes)). 'Excluded Minutes' means scheduled maintenance announced at least 48 hours in advance and force majeure events. For each tier of availability below 99.9%, Client shall receive a service credit per the Schedule: 99.0%-99.9% = 10% of monthly fees; 95.0%-99.0% = 25%; below 95.0% = 50%. Service credits are Client's sole and exclusive remedy for SLA breach. If Provider fails to meet the SLA for three consecutive months, Client may terminate the affected SOW for cause without further notice."
Pitfall: "Best efforts" SLAs are unenforceable. Quantify everything: response time in minutes, availability percentage, measurement window, and excluded events. Otherwise, the SLA is a press release.
Fees, invoicing, and dispute window
Fee structure (per the SOW), invoice cadence, payment terms (Net 30 standard; enterprise increasingly demands Net 45/60), late-payment interest, and a written dispute window with specific-item requirement.
"Provider shall invoice Client monthly in arrears for time-and-materials Services, and on the milestone schedule for fixed-fee Services. Client shall pay each undisputed invoice within thirty (30) days of receipt. Late amounts accrue interest at 1.5% per month or the maximum lawful rate, whichever is lower. Client must dispute any invoice in writing within fifteen (15) days of receipt, identifying the specific line items in dispute; undisputed amounts remain due on the original due date."
Pitfall: Without the 15-day specificity requirement, clients use "we're still reviewing" as an indefinite stall. Make the dispute window short and the required specificity high.
Intellectual property ownership
Custom deliverables created under an SOW assign to Client; Provider retains background IP and grants Client a license to use it as incorporated. Add the AI/ML training carve-out by default.
"Provider hereby assigns to Client all right, title, and interest in the Deliverables identified in each SOW as 'Client Materials', including all copyrights, patents, and trade-secret rights. Provider retains ownership of (i) tools, frameworks, libraries, methodologies, and know-how existing prior to or developed independently of the SOW, and (ii) generally applicable improvements ('Provider Background IP'), and grants Client a perpetual, worldwide, royalty-free license to use the Provider Background IP solely as incorporated in the Deliverables. Provider shall not use Client Confidential Information to train any machine-learning model."
Pitfall: "Provider agrees to assign" is unenforceable in bankruptcy and against downstream acquirers. Use the present-tense "hereby assigns" after Stanford v. Roche.
Limitation of liability with carve-outs
Aggregate cap typically equal to fees paid in the trailing 12 months; exclusion of indirect, consequential, special, and punitive damages; carve-outs for confidentiality, IP indemnity, gross negligence, data-breach liability, and payment obligations.
"Except for the Excluded Liabilities, each party's aggregate liability arising out of or related to this Agreement shall not exceed the fees paid by Client to Provider in the twelve (12) months preceding the event giving rise to the claim. Neither party shall be liable for indirect, incidental, special, consequential, exemplary, or punitive damages, including lost profits or revenue. 'Excluded Liabilities' means liability arising from (i) breach of confidentiality, (ii) IP indemnification, (iii) gross negligence or willful misconduct, (iv) breach of the Data Processing Addendum, (v) Provider's data-security obligations, and (vi) payment obligations."
Pitfall: Sophisticated enterprise procurement will refuse a pure "cap at fees paid" with no carve-outs. Expect to negotiate super-caps (5x-10x fees) for the excluded categories, especially data-breach liability in CCPA states.
Indemnification (mutual, with IP focus)
Provider indemnifies against third-party IP infringement claims on the Deliverables; Client indemnifies against claims arising from Client-supplied materials. Defense, settlement control, and exclusions are tightly defined.
"Provider shall defend Client against any third-party claim that the Deliverables, as delivered and used in accordance with this Agreement, infringe a U.S. patent, copyright, trademark, or trade secret, and shall pay damages or settlement amounts approved by Provider in writing. Provider's obligations are excluded for claims based on (i) Client modifications to the Deliverables, (ii) combination of the Deliverables with non-Provider materials, or (iii) Provider's compliance with Client specifications. Client shall defend Provider against any third-party claim arising from Client-supplied materials, data, or instructions."
Pitfall: The "compliance with Client specifications" carve-out is essential — Provider cannot indemnify for IP risk that flows from Client's choice of third-party API or library.
Term, renewal, and termination
Initial term per the SOW (or master MSA term), auto-renewal with notice, termination for cause (uncured material breach), termination for convenience (with kill fee or notice period), termination on insolvency or change of control.
"This Agreement begins on the Effective Date and continues until all SOWs have expired or been terminated, unless earlier terminated under this Section. Each SOW shall set forth its own initial term and renewal provisions, and shall auto-renew for successive 12-month periods unless either party provides 60 days' written notice of non-renewal. Either party may terminate this Agreement or any SOW for the other party's (i) uncured material breach after 30 days' written notice, or (ii) insolvency, assignment for the benefit of creditors, or bankruptcy filing. Client may terminate any SOW for convenience on 30 days' written notice, in which case Client shall pay Provider for Services performed through the termination date plus any non-cancelable third-party commitments."
Pitfall: The 2024 FTC Negative Option Rule and several state consumer-protection statutes require clear and conspicuous disclosure of auto-renewal terms for consumer-facing services. B2B is generally exempt but must still meet contract-formation standards.
Confidentiality and data protection
Mutual confidentiality during and after engagement, with explicit AI/ML training prohibition and statutory whistleblower carve-out. For any engagement touching personal data, attach a Data Processing Addendum.
"Each party shall protect the other party's Confidential Information using at least the same degree of care it uses for its own confidential information of like importance, but in no event less than reasonable care. Provider shall not use Client Confidential Information to train, fine-tune, prompt, or evaluate any machine-learning model, or input Client Confidential Information into any third-party AI service that does not contractually prohibit use of inputs for model training. Where Provider processes Personal Data on Client's behalf, the Data Processing Addendum attached as Exhibit B applies and governs in the event of conflict with this Section."
Pitfall: A confidentiality clause is not a DPA. GDPR Article 28 requires specific contractual terms (processing purpose, sub-processor authorization, breach notification, audit rights) that a generic confidentiality clause does not provide.
Insurance, audits, and step-in rights
Required coverage levels, certificate-of-insurance delivery, additional-insured status, and the client's right to audit compliance with material obligations. For chronic SLA failure, a step-in right lets the client run the services itself or via a third party.
"Provider shall maintain at its expense (i) Commercial General Liability insurance of at least $1,000,000 per occurrence / $2,000,000 aggregate; (ii) Professional Liability / Errors & Omissions insurance of at least $2,000,000 per claim; (iii) Cyber Liability insurance of at least $5,000,000 per incident; and (iv) Workers' Compensation per applicable law. Provider shall name Client as additional insured on the CGL and shall deliver certificates of insurance before the Effective Date and at each renewal. Client may audit Provider's compliance with this Agreement (excluding cost or margin data) on 30 days' written notice, not more than once per calendar year."
Pitfall: Without certificate-of-insurance delivery as a condition precedent to engagement, insurance gets ignored until there is a claim — at which point Provider's lapsed policy is Provider's problem only.
Jurisdiction notes
Services agreements are governed by state contract law, but several jurisdictions impose statute-of-frauds, consumer-protection, or auto-renewal regulations that override boilerplate terms:
- California (Bus. & Prof. Code §17600 et seq.; CCPA): Auto-renewal disclosure rules for consumer-facing services — clear and conspicuous presentation, affirmative consent, easy cancellation. Bus. & Prof. Code §17602 requires acknowledgment of auto-renewal terms in a separate document. CCPA service-provider definition requires DPA-equivalent contractual terms.
- New York (Gen. Bus. Law §763; SHIELD Act): Auto-renewal disclosure for consumer-facing services. The SHIELD Act (eff. 2020) imposes data-security requirements on any business that holds private information of New York residents.
- Federal Trade Commission Negative Option Rule (16 C.F.R. §425, effective 2024): Click-to-cancel requirements, "simple cancellation," and prohibition on misrepresentation of material facts in any negative-option offer. Applies primarily to consumer-facing services but is being applied by analogy to mid-market B2B.
- Texas (Bus. & Com. Code §17.41 et seq. — DTPA): The Deceptive Trade Practices Act applies to most consumer-facing services and provides treble damages for knowing violations. B2B contracts can disclaim DTPA only with specific waiver language signed by counsel for the business client.
- State contractor-licensing statutes: Construction, electrical, plumbing, HVAC, and certain technology services require state licensure. California (Bus. & Prof. Code §7031): an unlicensed contractor cannot enforce its contract or recover for work performed — even if the work is acceptable. Verify licensure before contracting.
- GDPR / UK GDPR / EU member state laws: Article 28 mandates a written processor contract. Member states (Germany, France, Italy) layer additional requirements; the UK has retained GDPR substantially intact post-Brexit. Standard Contractual Clauses (SCCs) required for any cross-border data transfer.
- Healthcare (HIPAA, 45 C.F.R. §164.504(e)): Any service provider that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a Business Associate and requires a written Business Associate Agreement. The BAA travels separately or as an annex to the MSA.
How to draft your services agreement in LexDraft
Pick the architecture
Open LexDraft in Word. Choose MSA + SOW (for ongoing or multi-project relationships) or one-shot agreement (for single, defined engagements). LexDraft auto-attaches an SOW template and the conflict-resolution clause.
Lock SLAs, fees, and acceptance
Define the Services with quantified SLAs, service credits, and (for deliverables) written acceptance criteria. Set the fee structure, invoice cadence, dispute window, and late-payment interest.
Layer liability, IP, and termination
Apply the liability cap with appropriate carve-outs, present-tense IP assignment, mutual IP indemnification, insurance schedule, and termination mechanics. Attach the DPA exhibit if personal data is involved.
Best practices a sophisticated services counsel would actually use
Use MSA + SOW even for the first engagement
If there is any chance of a second engagement, sign the MSA up front. Renegotiating commercial terms (fees, schedule) is trivial; renegotiating legal terms (liability cap, IP) is not. The MSA + SOW structure makes the second sale procurement-free.
Quantify every SLA
"Best efforts" SLAs are unenforceable noise. Specify availability percentage, response time in minutes, support hours, measurement methodology, excluded events, and the calculation formula. Service credits should be tiered, capped at monthly fees, and the client's sole remedy.
Add the AI/ML training carve-out
2024-2026 vintage essential. Without it, the provider's free-tier ChatGPT usage on client data is contractually permitted. Two sentences: prohibit use of client confidential information to train models, and prohibit input into any third-party AI service without a no-training contract.
Calibrate liability caps by category
A flat "cap at fees paid" with no carve-outs will not survive enterprise procurement. Build a multi-tier cap: 1x fees for general liability; 5x-10x fees for confidentiality, IP indemnity, gross negligence; uncapped for payment obligations and (often) data-breach liability in CCPA states.
Require COI before kickoff
Insurance certificate delivery should be a condition precedent to engagement. Build it into the MSA as a hard kickoff gate. Renew the COI requirement annually with at-least-30-days-cancellation-notice endorsement.
Use chronic-failure SLA termination triggers
Service credits without a termination trigger let bad service continue indefinitely. After three consecutive months of credit-triggering events, or two consecutive months below 95% availability, the client should have a no-fault termination right for the affected SOW.
Attach the DPA, not a confidentiality clause
If personal data is involved, you need a Data Processing Addendum — not a beefed-up confidentiality clause. Article 28 requires specific terms a confidentiality clause does not provide. Attach the DPA as an exhibit and reference it explicitly.
Address change-of-control assignment
Default rule: contracts are assignable unless the contract says otherwise. For sensitive engagements (PHI, payment data, source code), require the other party's written consent to assignment, not to be unreasonably withheld — with an automatic termination right if the assignor is acquired by a direct competitor.
Frequently Asked Questions About Service Agreements
"Service agreement" is the generic label for any contract under which one party provides services to another. A Master Services Agreement (MSA) is a long-form services agreement that handles the commercial framework — IP, liability, confidentiality, payment terms, indemnities — and is signed once. A Statement of Work (SOW) sits underneath the MSA and defines a specific engagement's scope, deliverables, schedule, and fees. Best practice for any ongoing or repeatable service relationship: sign the MSA once, then add SOWs as needed. This removes procurement friction on the second sale and creates consistent legal terms across all engagements.
Service credits are the client's sole and exclusive remedy for SLA breach in well-drafted agreements, structured as tiered percentages of monthly fees: typically 10% for first-tier breach, 25% for second tier, 50% for catastrophic breach. They should be capped at monthly fees, excluded from the aggregate liability cap, and accompanied by a chronic-failure termination right (e.g., three consecutive credit-triggering months or two consecutive months below 95% availability). Without service credits as the exclusive remedy, the client has only a damages claim — which is rarely cost-effective to pursue for downtime — and the provider faces an open-ended exposure.
For ongoing service relationships, yes — but with proper notice mechanics. Market structure is an initial 12-month term with successive 12-month renewals unless either party gives 60–90 days' written notice of non-renewal. California (Bus. & Prof. Code §17600), New York (Gen. Bus. Law §763), and several other states require clear and conspicuous disclosure of auto-renewal terms for consumer-facing services. The FTC Negative Option Rule (16 C.F.R. §425, effective 2024) imposes additional disclosure and "click-to-cancel" requirements. B2B auto-renewals are generally enforceable but should still meet contract-formation standards and may be subject to state UDAP statutes.
For most professional services: (i) Commercial General Liability of $1M per occurrence / $2M aggregate; (ii) Professional Liability / Errors & Omissions of $1M-$5M per claim depending on engagement size; (iii) Cyber Liability of $1M-$10M for any data-touching engagement; (iv) Workers' Compensation per applicable state law; and (v) Automobile Liability if any travel. Enterprise clients increasingly require named additional insured status on the CGL policy, a waiver of subrogation, and at-least-30-days notice of cancellation endorsement. Make certificate of insurance delivery a condition precedent to engagement kickoff — not an afterthought when the first claim arrives.
Only if the contract grants the right expressly. Without a termination-for-convenience clause, the client can only terminate for cause (material breach) or under specific contract triggers (insolvency, change of control). Most well-drafted MSAs grant the client a termination-for-convenience right on 30–60 days' written notice, with the service provider paid for (i) work completed through the termination date, (ii) any non-cancelable third-party commitments, and (iii) a wind-down fee or kill fee proportional to remaining commitments. The service provider's exit right is typically more constrained — usually only for the client's uncured material breach or non-payment beyond the cure period.
If the service provider will access, store, or process personal data on the client's behalf — yes, and it is legally required. GDPR Article 28 mandates a written processor contract. The CCPA service-provider definition (Cal. Civ. Code §1798.140(ag)) and the Colorado, Connecticut, Virginia, and Utah privacy acts impose substantially similar requirements. The DPA covers processing purpose limitations, sub-processor authorization, security measures, breach-notification timeline (72 hours under GDPR), audit rights, and data return or deletion at termination. For protected health information, layer a HIPAA Business Associate Agreement (45 C.F.R. §164.504(e)); for payment-card data, layer PCI-DSS allocation of responsibilities.
Yes — this is the single most common 2024-2026-vintage gap in legacy services agreements. Pre-2022 templates are silent on whether the provider can use client confidential information to train, fine-tune, or prompt machine-learning models or input client information into third-party AI services. The clause is two sentences: (i) the provider shall not use client Confidential Information to train, fine-tune, prompt, or evaluate any ML model; and (ii) the provider shall not input client Confidential Information into any third-party AI service that does not contractually prohibit use of inputs for model training. Without it, enterprise procurement audits routinely flag the agreement as non-compliant.
Build a procurement-ready MSA in Word
LexDraft generates the MSA + SOW structure with calibrated liability caps, the AI/ML training carve-out, an attached DPA exhibit, and the auto-renewal mechanics that survive the 2024 FTC Negative Option Rule.
Install LexDraft for Word