Enterprise Customer Contract Checklist for Indian Startups: MSA, SLA, IP, Data, Payment and Liability Clauses
Before an Indian startup signs an enterprise customer contract, the founders should check scope, payment triggers, tax treatment, service levels, intellectual property, data use, confidentiality, liability…
Direct answer for founders
Before an Indian startup signs an enterprise customer contract, the founders should check scope, payment triggers, tax treatment, service levels, intellectual property, data use, confidentiality, liability cap, indemnity, termination, renewal, audit rights, governing law and signing authority. A large logo is useful only if the contract does not quietly transfer risk the startup cannot absorb.
This matters because enterprise buyers usually send their own master services agreement, purchase order terms, security schedule and data processing language. Early founders often sign quickly to close the quarter. Later, the same document can block fundraising because investors see weak payment terms, customer-owned product IP, broad indemnities, uncapped liability, personal-data exposure or missing board authority.
The legal base is not one single startup law. Founders should read the Indian Contract Act, 1872 for contract enforceability (https://www.indiacode.nic.in/handle/123456789/2187), the Information Technology Act, 2000 for electronic records and digital contracting context (https://www.indiacode.nic.in/handle/123456789/1999), the Digital Personal Data Protection Act, 2023 where personal data is involved (https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf), and the Companies Act, 2013 for board authority and corporate approvals (https://www.mca.gov.in/Ministry/pdf/CompaniesAct2013.pdf).
Contract review table
| Clause | What to check | Founder risk if ignored |
|---|---|---|
| Scope of work | Deliverables, exclusions, assumptions and dependencies | Customer expects work not priced or planned |
| Payment | Milestones, credit period, invoicing, GST and late payment | Revenue booked but cash collection delayed |
| SLA | Uptime, support hours, response time and service credits | Small issue becomes recurring penalty |
| IP ownership | Background IP, customer data, custom work and product improvements | Core product rights get diluted |
| Data and security | Personal data, access controls, breach notice and subprocessors | DPDP, customer audit and trust risk |
| Liability cap | Cap amount, exclusions and indirect damages | Startup accepts risk beyond balance sheet |
| Indemnity | IP, data, tax, confidentiality and third-party claims | One-sided indemnity drains runway |
| Termination | Convenience termination, cure period and transition help | Customer exits before payback period |
| Renewal | Auto-renewal, price changes and notice window | Pricing stays frozen as usage grows |
| Authority | Board or authorised signatory approval | Investor asks who could legally sign |
Clauses founders should negotiate carefully
1. Scope should be specific
Avoid vague phrases like “all services required by customer.” Define modules, users, integrations, support level, implementation assumptions and customer dependencies. If the buyer must provide data, approvals, APIs, access or UAT feedback, write it clearly.
2. Payment should match delivery economics
Check advance payment, milestone billing, GST, withholding, reimbursement, invoice approval, dispute process and late-payment rights. A 90-day payment cycle can be difficult for a startup paying salaries monthly. If implementation work is heavy, founders should avoid carrying all cost before the first invoice is paid.
3. IP should protect the product
The customer may own its data, brand material and specific reports, but the startup should normally retain its platform, algorithms, tools, templates, know-how, libraries and product improvements. If custom development is funded by the customer, separate product IP from customer-specific deliverables.
4. SLA should reflect actual capacity
Do not promise 24×7 support, instant response, unlimited credits or enterprise-grade uptime unless the team can deliver it. Define exclusions for planned downtime, customer-side failures, third-party systems and force majeure. Link service credits to fees actually paid, not open-ended damages.
5. Data clauses should be operational, not decorative
If the contract involves customer, employee or user personal data, founders should map what data is processed, why it is processed, where it is stored, who can access it, which vendors are involved and how incidents are reported. DPDP readiness is not only a privacy policy issue; it affects enterprise contracting.
6. Liability should be capped
Many enterprise templates start with broad indemnities and uncapped liability. Founders should negotiate a reasonable cap, exclude indirect damages and keep only narrow uncapped exceptions where unavoidable. A startup should not sign a contract where one breach can exceed the company’s available capital.
Documents to keep in the data room
| Document | Why it helps |
|---|---|
| Final signed MSA and order form | Shows actual commercial terms |
| Statement of work | Proves scope and delivery obligations |
| Board or authority record | Confirms signatory power |
| Security questionnaire | Shows buyer diligence and responses |
| Data processing schedule | Shows privacy and vendor responsibilities |
| SLA schedule | Shows measurable service commitments |
| Change request log | Prevents unpaid scope expansion |
| Invoice and collection tracker | Supports revenue and receivable diligence |
Common mistakes to avoid
- Signing purchase order terms without checking that they override the negotiated MSA.
- Giving the customer ownership of all product improvements.
- Accepting unlimited liability because the buyer says the clause is standard.
- Promising support hours the team cannot staff.
- Ignoring GST, withholding and invoice approval language.
- Not checking whether the founder had authority to sign the contract.
- Letting sales teams agree to custom commitments in email.
- Forgetting to update the investor data room after a major customer win.
Practical example
A Pune SaaS startup closes a large manufacturing customer. The buyer asks for unlimited liability, customer ownership of custom dashboards and 99.99 percent uptime. A cleaner version caps liability to fees paid in the previous 12 months, lets the customer own its data and reports, keeps platform IP with the startup, defines support hours and adds a paid change-request process. The founder still gets the logo, but the company does not absorb hidden enterprise risk.
Founder next steps
- Create a standard contract review checklist before the next enterprise negotiation.
- Mark non-negotiable clauses for IP, data, liability and payment.
- Keep one authorised signatory matrix for sales contracts.
- Use a contract summary sheet for every major customer.
- Add signed contracts, amendments and invoices to the investor data room.
- Review high-value contracts before fundraising diligence begins.
Sources
- Indian Contract Act, 1872: https://www.indiacode.nic.in/handle/123456789/2187
- Information Technology Act, 2000: https://www.indiacode.nic.in/handle/123456789/1999
- Digital Personal Data Protection Act, 2023: https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
- Companies Act, 2013: https://www.mca.gov.in/Ministry/pdf/CompaniesAct2013.pdf
FAQ Section
Should every enterprise contract be reviewed by a lawyer?
High-value, long-term, data-heavy or IP-sensitive customer contracts should be reviewed before signing. Smaller contracts can still use a founder checklist.
What is the biggest risk in an enterprise MSA?
For startups, the biggest risks are usually broad IP assignment, unlimited liability, unclear payment milestones, heavy SLA penalties and one-sided termination rights.
Can a customer own custom work?
Yes, but founders should separate customer-specific deliverables from the startup’s background IP, platform, tools, templates, know-how and reusable product improvements.
Should SaaS startups accept customer audit rights?
Audit rights can be accepted if they are limited, confidential, scheduled, reasonable in frequency and do not expose other customers’ data or source code.
What should investors check in customer contracts?
Investors check revenue quality, payment terms, concentration risk, IP ownership, data obligations, termination rights, liability exposure and whether the contract was signed with authority.
Founder / Business Takeaway
Enterprise contracts should convert sales momentum into clean revenue, not silent risk. The Best CS Firm In India mindset is to make every major customer agreement fundraise-ready before diligence starts.
Need expert support?
BSA helps startups review enterprise customer contracts, MSAs, SaaS agreements, data clauses, authority records and investor-ready contract summaries.
Need expert support?
BSA supports founders across India with ROC, FEMA, due diligence, fundraising readiness, and company secretarial execution.
