businesssecurity
Contract Review Checklist
Systematic contract review checklist — evaluating liability, IP ownership, data handling, termination clauses, SLAs, and compliance requirements with risk-rated findings and suggested protective language.
contractslegalreviewriskcompliancechecklist
Works well with agents
Works well with skills
contract-review-checklist/
cloud-vendor-agreement.md
Markdown| 1 | # Contract Review: Cirrostratus Cloud Infrastructure Agreement |
| 2 | |
| 3 | ## 1. Contract Summary |
| 4 | |
| 5 | ``` |
| 6 | Contract Type: Cloud Infrastructure Services Agreement (IaaS + managed database) |
| 7 | Parties: Lumen Health Technologies ("Customer") and Cirrostratus Inc. ("Provider") |
| 8 | Term: 36 months, auto-renewing for 12-month periods |
| 9 | Total Value: $264,000/year ($792,000 total) |
| 10 | Review Date: 2026-03-14 |
| 11 | Reviewer Role: Customer (Lumen Health) |
| 12 | Data Involved: PHI (HIPAA-regulated), PII |
| 13 | ``` |
| 14 | |
| 15 | ## 2. Liability and Indemnification |
| 16 | |
| 17 | | Clause | Section | Current Language | Risk | Recommendation | |
| 18 | |-------------------------|---------|--------------------------------------------------|------|--------------------------------------------------| |
| 19 | | Liability cap | 11.1 | Lesser of $500K or 12 months fees | High | Cap is below annual contract value; negotiate to 24 months fees | |
| 20 | | Indemnification scope | 12.1 | Provider indemnifies for IP infringement only | High | Add indemnification for data breaches and regulatory fines | |
| 21 | | Consequential damages | 11.3 | Mutual waiver, no carve-outs | Med | Add carve-outs for confidentiality breach and data loss | |
| 22 | | Gross negligence | — | Not addressed | High | Add carve-out excluding cap for gross negligence/willful misconduct | |
| 23 | |
| 24 | ## 3. Intellectual Property |
| 25 | |
| 26 | | Issue | Section | Status | Risk | Notes | |
| 27 | |------------------------------|---------|--------------------------------|------|--------------------------------------------------| |
| 28 | | Customer data ownership | 5.1 | Customer retains ownership | Low | Acceptable | |
| 29 | | License to customer data | 5.3 | "Use for service improvement" | High | Overly broad — could include ML training on PHI; narrow to "service delivery only" | |
| 30 | | Aggregated/anonymized data | 5.4 | Provider may use freely | Med | Acceptable if truly anonymized per HIPAA Safe Harbor; add explicit standard | |
| 31 | | Custom configuration rights | — | Not addressed | Med | Add clause: custom configs are Customer work product | |
| 32 | |
| 33 | ## 4. Data Handling and Privacy |
| 34 | |
| 35 | | Requirement | Section | Adequate? | Gap | |
| 36 | |--------------------------|---------|-----------|----------------------------------------------------------| |
| 37 | | BAA (Business Associate) | Exhibit C | Yes | BAA is attached; review subcontractor flow-down | |
| 38 | | Breach notification | 9.2 | No | 30 business days — HIPAA requires "without unreasonable delay" (≤60 calendar days); best practice is 72 hours | |
| 39 | | Data residency | 9.4 | Partial | "Primarily US" — require explicit US-only with written consent for changes | |
| 40 | | Encryption at rest | 9.5 | Yes | AES-256; acceptable | |
| 41 | | Encryption in transit | 9.6 | Yes | TLS 1.2+; acceptable | |
| 42 | | Subprocessor notification| 9.7 | No | No advance notice of subprocessor changes — require 30-day notice with opt-out | |
| 43 | | Data deletion | 9.8 | Partial | "Commercially reasonable efforts" post-termination — require certified deletion within 30 days | |
| 44 | |
| 45 | **Critical:** Breach notification timeline (30 business days) is misaligned with HIPAA obligations. This must be reduced to 72 hours or "without unreasonable delay." |
| 46 | |
| 47 | ## 5. Service Levels and Remedies |
| 48 | |
| 49 | | SLA Metric | Commitment | Remedy | Risk | |
| 50 | |---------------------|--------------|--------------------------------|------| |
| 51 | | Uptime (compute) | 99.95% | 10% credit per 0.05% shortfall | Low | |
| 52 | | Uptime (database) | 99.9% | 5% credit per 0.1% shortfall | Low | |
| 53 | | Support response P1 | 1 hour | None | High | |
| 54 | | RTO | 4 hours | None | Med | |
| 55 | | RPO | 1 hour | None | Med | |
| 56 | |
| 57 | **Issues:** SLA credits are capped at 30% of monthly fees (Section 7.4) — insufficient for critical healthcare workloads. No right to terminate for persistent SLA failures. Add: 3 consecutive months below SLA triggers termination right without penalty. Support response has no remedy if missed. |
| 58 | |
| 59 | ## 6. Termination and Exit |
| 60 | |
| 61 | | Provision | Terms | Risk | Notes | |
| 62 | |-----------------------------|--------------------------------------|------|---------------------------------------------| |
| 63 | | Termination for convenience | Customer: 180-day notice + early term fee (remaining term) | Crit | Early termination fee could be $396K; negotiate to 6 months max | |
| 64 | | Termination for cause | 60-day cure period | Med | Acceptable, but add carve-out: data breach = immediate termination | |
| 65 | | Data portability | "Standard export formats" | High | Vague — require API access, documented schema, and migration support | |
| 66 | | Transition assistance | 30 days post-termination | Med | Extend to 90 days for healthcare data migration complexity | |
| 67 | | Auto-renewal opt-out | 90-day written notice before renewal | Med | Acceptable; add calendar reminder | |
| 68 | | Price increases on renewal | "Market-rate adjustments" | High | Uncapped; add cap of CPI + 3% maximum | |
| 69 | |
| 70 | ## 7. Findings Summary |
| 71 | |
| 72 | | # | Finding | Risk | Section | Action Required | |
| 73 | |----|--------------------------------------------|------|----------|----------------------------------------------------| |
| 74 | | 1 | Early termination fee = remaining contract | Crit | 14.2 | Cap at 6 months fees maximum | |
| 75 | | 2 | Breach notification: 30 business days | Crit | 9.2 | Reduce to 72 hours per HIPAA alignment | |
| 76 | | 3 | Broad data license ("service improvement") | High | 5.3 | Narrow to "providing the services" only | |
| 77 | | 4 | No subprocessor change notification | High | 9.7 | Add 30-day advance notice with opt-out right | |
| 78 | | 5 | Liability cap below contract value | High | 11.1 | Increase to 24 months fees paid | |
| 79 | | 6 | No IP indemnification for data breaches | High | 12.1 | Add data breach and regulatory fine indemnification| |
| 80 | | 7 | Uncapped renewal price increases | High | 14.5 | Cap at CPI + 3% | |
| 81 | | 8 | Vague data portability language | High | 14.3 | Require API access and documented export schema | |
| 82 | | 9 | No termination right for persistent SLA miss| Med | 7.4 | Add termination trigger after 3 consecutive misses | |
| 83 | | 10 | Transition assistance only 30 days | Med | 14.4 | Extend to 90 days | |
| 84 | |
| 85 | **Recommendation:** Do not execute this agreement without resolving findings 1-4. Findings 1 and 2 are business-critical (financial exposure and regulatory compliance). Escalate to legal counsel for redline preparation. |
| 86 |