MSA, NDA and DPA review: a clause checklist

Most teams sign the same three agreements over and over: a master services agreement to set the commercial terms, a non-disclosure agreement before anyone shares anything sensitive, and a data processing agreement when personal data changes hands. They pile up faster than legal can read them. This is a practical clause checklist for MSA review, DPA review and the kind of NDA review checklist you can actually run yourself - written for operations, procurement and finance, not just lawyers.

You don't need to redraft these documents. You need to know which lines decide whether the deal is sensible, and which ones quietly hand the other side the advantage.

MSA review: where the money and the risk live

The master services agreement is usually the one with real money attached, so it's worth the most attention. Work through these:

• Liability cap. Is there one, and what's it tied to? "Fees paid in the prior twelve months" is common and reasonable. Uncapped liability, or a cap set far above contract value, is a flag.
• Indemnities. Who covers whom, and for what? A one-sided indemnity where you carry all the risk and they carry none is the classic imbalance.
• Auto-renewal and term. When does it renew, and how much notice must you give to stop it? A 90-day notice window on a contract that renews in March means a decision in November.
• Termination rights. Can you exit for convenience, or only for cause? Can they? Asymmetric termination - they can walk, you can't - is worth catching early.
• Price increases. Look for clauses that let them raise fees annually by "CPI" or "then-current rates". Uncapped rises compound quietly.
• IP ownership. Who owns what's created? For services and deliverables, make sure ownership lands where you expect, not with the supplier by default.
• Payment terms and SLAs. Net 30 versus net 60 affects cash flow. Service levels with no remedy attached are decoration.

If you only check one thing in an MSA, make it the liability cap read alongside the indemnities. Those two clauses together tell you your real downside.

NDA review checklist: short document, sharp edges

NDAs look harmless because they're short. They aren't. Run this NDA review checklist before signing:

• Mutual or one-way? If only one party is bound, make sure it's the right one. You'd be surprised how often the default protects them, not you.
• Definition of confidential information. Too narrow and your data isn't covered; too broad and ordinary business information gets locked up.
• Duration. How long does the obligation last after the agreement ends? Two to five years is typical. "Perpetual" for anything other than trade secrets is aggressive.
• Permitted disclosures. You need carve-outs for your own staff, advisers, and anything you're legally required to disclose.
• Return or destruction of data. What happens to the information when you're done? There should be a clear obligation to return or delete it.
• Non-solicitation riders. Some NDAs smuggle in a clause stopping you from hiring the other side's people. Read to the end.

The trap with NDAs is volume. They turn up constantly, each one feels low-stakes, and so they get signed on autopilot. That's exactly how a five-year perpetual obligation slips through.

DPA review: the data clauses that matter

A data processing agreement governs personal data, and under UK GDPR it has to. DPA review is less about negotiation and more about confirming the required terms are actually present:

• Roles. Is each party correctly named as controller or processor? Getting this wrong skews every obligation that follows.
• Scope of processing. The nature, purpose, duration and categories of data should be set out, usually in a schedule. A vague scope is a problem.
• Sub-processors. Can they bring in third parties, and do you get notice or a right to object? Watch for blanket pre-approval.
• International transfers. If data leaves the UK, the agreement needs a lawful basis - standard contractual clauses or an adequacy decision. This is the line that's most often missing.
• Security measures. There should be a concrete commitment to appropriate technical and organisational measures, not just a promise to "take security seriously".
• Breach notification. How quickly must they tell you about an incident? You need enough time to meet your own 72-hour reporting duty.
• Audit and deletion. You should have audit rights, and the data should be returned or deleted at the end of the contract.

Doing this at scale

One contract, you can work through by hand. A portfolio of MSAs, a drawer full of NDAs and a DPA per supplier is where the checklist breaks down - not because it's hard, but because nobody has the hours.

This is the job Docvize AI was built for. Upload an agreement and it reads the document, identifies the type, and flags exactly the clauses above: the liability cap, the indemnities, the auto-renewal date and notice period, the data processing terms, the termination rights and the IP position. Each finding links back to the clause it came from, so you can check the source in a click rather than taking it on trust. It pulls renewal dates into one tracked list too, so the auto-renewal you spotted doesn't get forgotten three months later.

Your documents stay private. They're never sold, and never used to train AI. And if you want to interrogate a specific contract - "what's the notice period here?" - you can just ask Docvize in plain English.

A checklist makes the review consistent. The tool makes it fast enough to actually run every time.

Drop in a contract and see what Docvize AI finds - free for 14 days, no card.