businesssecurity
Contract Review Checklist
Systematic contract review checklist — evaluating liability, IP ownership, data handling, termination clauses, SLAs, and compliance requirements with risk-rated findings and suggested protective language.
contractslegalreviewriskcompliancechecklist
Works well with agents
Works well with skills
contract-review-checklist/
SKILL.md
Markdown| 1 | |
| 2 | # Contract Review Checklist |
| 3 | |
| 4 | ## Before you start |
| 5 | |
| 6 | Gather the following from the user. If anything is missing, ask before proceeding: |
| 7 | |
| 8 | 1. **What type of contract?** (SaaS agreement, vendor contract, partnership, NDA, MSA) |
| 9 | 2. **Which party are you?** (Customer, vendor, partner — your review posture changes) |
| 10 | 3. **What is the contract value?** (Determines acceptable risk tolerance) |
| 11 | 4. **What data is involved?** (PII, PHI, financial data, trade secrets, none) |
| 12 | 5. **What regulatory frameworks apply?** (GDPR, HIPAA, SOC 2, industry-specific) |
| 13 | 6. **Are there existing terms to compare against?** (Prior version, your standard template) |
| 14 | |
| 15 | This skill produces a structured review with risk-rated findings. It is not legal advice. Flag findings rated High or Critical for legal counsel review. |
| 16 | |
| 17 | ## Review template |
| 18 | |
| 19 | ### 1. Contract Summary |
| 20 | |
| 21 | ``` |
| 22 | Contract Type: [SaaS Subscription Agreement] |
| 23 | Parties: [Your Company] ("Customer") and [Vendor] ("Provider") |
| 24 | Term: [Initial term + renewal terms] |
| 25 | Total Value: [Annual or total contract value] |
| 26 | Review Date: [Date] |
| 27 | ``` |
| 28 | |
| 29 | ### 2. Liability and Indemnification |
| 30 | |
| 31 | | Clause | Section | Current Language | Risk | Recommendation | |
| 32 | |-----------------------|---------|------------------------------|------|---------------------------------| |
| 33 | | Liability cap | 7.1 | 12 months of fees paid | Low | Acceptable — standard for SaaS | |
| 34 | | Indemnification scope | 8.1 | Vendor indemnifies IP only | High | Add data breach indemnification | |
| 35 | | Consequential damages | 7.3 | Mutual waiver | Low | Standard — acceptable | |
| 36 | |
| 37 | Red flags: liability cap below contract value, one-sided indemnification, no carve-outs for gross negligence or willful misconduct. |
| 38 | |
| 39 | ### 3. Intellectual Property |
| 40 | |
| 41 | | Issue | Section | Status | Risk | Notes | |
| 42 | |-------------------------|---------|---------------|------|---------------------------------| |
| 43 | | IP ownership of outputs | 4.1 | Customer owns | Low | Verify includes derivatives | |
| 44 | | License to customer data| 4.3 | Broad license | High | Narrow to service delivery only | |
| 45 | | Work product rights | 4.4 | Not addressed | Crit | Must add assignment clause | |
| 46 | |
| 47 | Key questions: Who owns work product? Does the vendor retain rights to use your data for training or benchmarking? Are license grants surviving termination? |
| 48 | |
| 49 | ### 4. Data Handling and Privacy |
| 50 | |
| 51 | | Requirement | Section | Adequate? | Gap | |
| 52 | |-----------------------|---------|-----------|-------------------------------------| |
| 53 | | Data processing terms | 9.1 | Partial | Missing subprocessor notification | |
| 54 | | Breach notification | 9.3 | No | Timeline is 30 days — require 72 hrs| |
| 55 | | Data return/deletion | 9.4 | Yes | 30-day post-termination window | |
| 56 | | Encryption standards | 9.5 | N/A | Add at-rest and in-transit minimums | |
| 57 | |
| 58 | If the contract involves PII or regulated data and lacks a Data Processing Agreement, flag as Critical. |
| 59 | |
| 60 | ### 5. Service Levels and Remedies |
| 61 | |
| 62 | | SLA Metric | Commitment | Remedy | Risk | |
| 63 | |---------------|-------------|---------------------|------| |
| 64 | | Uptime | 99.9% | 5% credit per 0.1% | Low | |
| 65 | | Response time | Not defined | None | High | |
| 66 | | RTO/RPO | Not defined | None | Crit | |
| 67 | |
| 68 | Verify: Are credits the sole remedy, or can you terminate for persistent SLA failures? Does the vendor self-report uptime? |
| 69 | |
| 70 | ### 6. Termination and Exit |
| 71 | |
| 72 | | Provision | Terms | Risk | Notes | |
| 73 | |----------------------------|----------------------|------|-------------------------------| |
| 74 | | Termination for convenience| Not permitted | High | Add with 90-day notice | |
| 75 | | Data portability | CSV export available | Med | Require API access + format | |
| 76 | | Transition assistance | Not addressed | High | Add 90-day transition period | |
| 77 | |
| 78 | If you cannot exit the contract within a reasonable timeframe with your data intact, the contract creates vendor lock-in. |
| 79 | |
| 80 | ### 7. Findings Summary |
| 81 | |
| 82 | Compile all findings prioritized by risk: |
| 83 | |
| 84 | | # | Finding | Risk | Section | Action Required | |
| 85 | |---|--------------------------------|------|---------|---------------------------------| |
| 86 | | 1 | No work product IP assignment | Crit | 4.4 | Add IP assignment clause | |
| 87 | | 2 | No RTO/RPO commitments | Crit | 6.3 | Define recovery objectives | |
| 88 | | 3 | Broad license to customer data | High | 4.3 | Narrow to service delivery | |
| 89 | |
| 90 | ## Quality checklist |
| 91 | |
| 92 | Before delivering a contract review, verify: |
| 93 | |
| 94 | - [ ] Every finding cites a specific section number or notes the clause is missing |
| 95 | - [ ] Risk ratings are consistent — Critical means business-threatening, not inconvenient |
| 96 | - [ ] IP ownership is reviewed for both pre-existing IP and work product |
| 97 | - [ ] Data handling covers processing terms, breach notification, and post-termination deletion |
| 98 | - [ ] SLAs have measurable commitments with defined remedies |
| 99 | - [ ] Termination provisions include data portability and transition assistance |
| 100 | - [ ] Findings summary is prioritized with specific recommended actions |
| 101 | |
| 102 | ## Common mistakes |
| 103 | |
| 104 | - **Reviewing only what is written.** Missing clauses are findings. No SLA, no data deletion — these omissions are risks. |
| 105 | - **Treating all risks as equal.** A missing comma is not the same risk as unlimited liability. Rate findings consistently. |
| 106 | - **Ignoring the "other party" position.** If you are the vendor, customer-favorable terms are your risk. Adjust review posture to your role. |
| 107 | - **Skipping auto-renewal terms.** Contracts that silently renew with uncapped price increases are expensive surprises. |
| 108 | - **Reviewing without context.** A $5K SaaS tool and a $2M infrastructure contract require different risk tolerances. |
| 109 | - **Not flagging missing DPAs.** If personal data is processed without a Data Processing Agreement, this is a regulatory gap. |
| 110 |