Almost every modern custom-software project is built using some form of Agile development — short, repeating cycles of design, coding, and testing — yet most contracts governing those projects are still written as though the work will proceed in a single, planned-out march from frozen specification to final delivery. That mismatch is the source of enormous avoidable litigation. A contract that promises a fixed scope at a fixed price, and an Agile team that deliberately leaves scope open so it can respond to what it learns each sprint, are pulling in opposite directions from the day of signing. When the project later runs over budget or fails to ship the feature the customer assumed was coming, the parties reach for a contract that never described what they were actually doing — and a court must reconstruct a bargain nobody quite made.

This article is about closing that gap. It is written for three audiences at once: the in-house or outside lawyer who must draft or negotiate the agreement; the business client — a startup founder, a procurement officer, a product manager — who must live under it; and the judge or arbitrator who may someday have to read it after things go wrong. Wherever a term of art first appears, it is explained in plain language, and invented parties (clearly labeled hypothetical — "Acme Corp." and "Builder Software LLC") illustrate how the issues play out.

We move from the foundational tension — why fixed-scope, fixed-price contracting clashes with iterative development — through the legal nature of a software-development contract and then the building blocks of a sound Agile agreement: the pricing model, the sprint-based statement of work, the contractually defined product owner, acceptance criteria and the "definition of done," change management without formal change orders, intellectual-property ownership, open-source compliance, warranties and limitation of liability, data-security and privacy obligations, the special problems of regulated and government work, and, finally, emerging frontiers and dispute avoidance. Read this alongside our companion pieces on drafting software license agreements, the software license agreement review checklist toolkit, and the broader legal protection of software through copyrights, patents, trade secrets, and contracts.

What Agile and Scrum Actually Are (and Why the Difference Is Legal, Not Just Technical)

To draft a good Agile contract you must understand what the team is really doing, because the legal problems flow directly from the method.

The traditional model: waterfall. For decades, custom software was built using what is now called the "waterfall" method — a sequential process in which the project flows downhill through distinct phases: requirements gathering, design, coding, testing, integration, deployment, and maintenance. The defining feature is that the parties try to define the scope and detailed technical specifications at the very beginning. The specification — often a thick document attached as an exhibit — becomes the yardstick against which the developer's performance is measured. Waterfall contracts therefore tend to use a fixed price and schedule, formal acceptance testing at the end (and sometimes at intervals), and a formal "change control" process: any deviation from the spec requires a written change order, usually with additional payment. Waterfall has real virtues — it gives both sides certainty about the deliverable and lets them track progress against clear milestones — but a fatal weakness for complex projects: customers frequently cannot describe what they actually need at the outset (sometimes figuring that out is the project), and later changes are expensive and disruptive. In a rapidly changing market, a long planning horizon is itself a liability.

The Agile alternative. Agile is an umbrella term for a family of development methodologies — Scrum, Kanban, Extreme Programming (XP), Crystal, Lean software development, and others — that emerged in the 1990s and were codified in February 2001 when seventeen developers gathered at a ski resort in Snowbird, Utah, and produced the "Manifesto for Agile Software Development." The Manifesto's drafters valued "individuals and interactions over processes and tools," "working software over comprehensive documentation," "customer collaboration over contract negotiation," and "responding to change over following a plan." The point was never that documentation, processes, or contracts have no value; it is that, when forced to choose, an Agile team favors the first item in each pair. (The third value — "customer collaboration over contract negotiation" — is a particular provocation to lawyers, and reconciling it with enforceable risk allocation is much of what this article is about.) Those four values were accompanied by twelve supporting principles, several of which have direct contractual consequences: satisfying the customer through early and continuous delivery of working software, welcoming changing requirements even late in development, delivering working software frequently, close daily cooperation between business people and developers, and building projects around motivated individuals who are trusted to get the job done. Agile development is iterative (the same activities repeat in cycles) and incremental (each cycle produces a working slice of the product). Overall business goals are agreed at the start; the detailed solution is deliberately left to emerge.

The other frameworks, briefly. Although this article uses Scrum vocabulary, a lawyer should recognize the siblings, because clients use them and contracts must accommodate them. Kanban is a flow-based visual method (visualize the workflow, limit work in progress, manage flow, make policies explicit, build feedback loops), less prescriptive than Scrum and common outside software too. Extreme Programming (XP) layers in rigorous engineering practices — pair programming, test-driven development, continuous integration and deployment, simple design, and refactoring — which can become contractual quality commitments (building peer review and passing tests into the definition of done). Lean software development, adapted from lean manufacturing, emphasizes eliminating waste, amplifying learning, deciding as late as responsibly possible, delivering fast, and empowering the team. The shared themes — iterative delivery, frequent feedback, and adaptation to change — generate the legal challenges this article addresses, whatever the framework's name.

Scrum, the dominant framework. Most Agile software projects use Scrum, so this article uses its vocabulary. The work is organized around:

  • A product backlog — a prioritized wish-list of everything the customer might want the software to do. Items are usually written as "user stories" in the form "As a [type of user], I want [a feature] so that [a benefit]." Each item typically carries an estimate of business value (from the product owner) and an estimate of effort (from the development team).
  • Sprints — fixed, short development cycles, usually two to four weeks, in which the team builds a selected set of backlog items. A sprint is a timebox: when the time runs out, work stops, and anything unfinished returns to the backlog rather than extending the clock.
  • A sprint backlog — the subset of items the team commits to build in the current sprint.
  • The product owner — the customer's representative, who owns and prioritizes the backlog and decides what is most valuable to build next.
  • The development team — the people who actually write and test the code.
  • The Scrum Master — a facilitator (think coach) who keeps the process running and clears obstacles.
  • The definition of "done" — the agreed standard a backlog item must meet before it counts as complete.

Each sprint then runs through a planning meeting, brief daily check-ins, a sprint review (a demo of the working software, where items are marked "done"), and a retrospective (a look at how to improve the process). At the end, the customer tests the increment against agreed acceptance criteria. The project is finished when all the backlog items the customer still wants have been delivered and meet the definition of done — even if the contents of the backlog changed many times along the way.

That last clause is where the legal problem lives. In waterfall, "what we agreed to build" is a fixed document; in Agile, it is a living list the customer may re-prioritize, add to, and delete from as the project unfolds. A contract drafted for the first reality cannot govern the second.

Why Fixed-Scope, Fixed-Price Contracting Clashes With Iterative Development

A fixed-price contract is a promise: the developer will deliver a defined thing for a defined sum. Fixed price is only coherent if the "thing" is actually defined. In an Agile project the thing is, by design, not defined at signing — only the goals, budget envelope, and process are. Forcing a fixed-price, fixed-scope structure onto an Agile project produces predictable pathologies.

The specification that does not exist yet. A fixed-price contract measures performance against a specification. But in a genuine Agile engagement, the product specification may only emerge during the project. If counsel staples a detailed specification to an Agile contract anyway, one of two bad things happens: either the team ignores the spec and follows the backlog (in which case the spec is a litigation trap, because the delivered software will not match the contractual yardstick), or the team is forced to follow the frozen spec (in which case the customer paid for Agile and received waterfall). Neither outcome is what either party wanted.

The change-order trap. Waterfall manages scope changes through formal change orders. Agile manages them through routine re-prioritization of the backlog — the product owner swaps a lower-value story out and a higher-value story in, often several times per sprint. If the contract says every scope change requires a signed change order, then either the parties generate a blizzard of paperwork nobody executes (creating a gap between contract and conduct), or they stop papering changes and later fight about whether dozens of un-ordered changes were "extra work" the customer must pay for or "in scope" work the developer owed for free — leaving a court to decide, after the fact, what the parties "really" agreed, an expensive and uncertain exercise good drafting can pre-empt.

The disappearing remedy. In a waterfall dispute, delay and defect are relatively easy to prove: the deliverable was due on a date, against a spec, and was late or non-conforming. In Agile, it can be genuinely difficult to determine whether there is actually a delay or defect at all. Because the customer controls prioritization, an incomplete feature may simply have been deprioritized — the customer pushed it to a later sprint — making it hard for that same customer to later blame the developer for not finishing it on time. And a customer who accepted sprints one through five may be precluded from complaining in sprint nine that those early increments were a poor foundation. The informal, conversation-driven nature of Agile compounds the problem: the documentary evidence a court expects — signed approvals, written change orders, formal acceptance certificates — frequently does not exist. The methodology's informality is, in litigation, its Achilles' heel.

The cautionary tale. The risks of a poorly specified large software project are not hypothetical. In the leading English case BSkyB Ltd v HP Enterprise Services UK Ltd [2010] EWHC 86 (TCC), a customer recovered substantial damages after a troubled customer-relationship-management software project collapsed, the court scrutinizing what was promised, what was delivered, and the representations made during procurement. That case involved a more traditional methodology, but its lesson translates directly — and underscores the need for clarity even in flexible Agile contexts: when the parties' understanding of scope, responsibility, and acceptance is murky, the project — and the relationship — is far more likely to end in court. American courts reach similar results under ordinary contract doctrine; whether a developer "substantially performed," and what the parties actually bargained for, become fact-intensive questions a well-drafted Agile contract can largely pre-empt. (See legal protection of software.)

The conclusion is not that Agile is "unlawyerable." It is that the contract must be built around the method instead of against it. The rest of this article shows how — but first, a short doctrinal detour.

The Doctrinal Backdrop: What Body of Law Governs, and How Acceptance Works

Before drafting anything, it helps to know which legal rules supply the default terms when the contract is silent — because Agile's informality leaves the contract silent more often than anyone intends, and the gaps get filled by background law.

Goods, services, or both? A custom-software development engagement is usually a services contract governed by the common law of contracts, not by Article 2 of the Uniform Commercial Code, which governs transactions in "goods" and supplies its own rules on acceptance, rejection, cure, and warranty differing from common-law defaults. Courts have split over whether software is a "good," the answer often turning on whether the deal is predominantly the sale of a finished product (looks like goods) or the provision of bespoke development labor (looks like services); some apply a "predominant purpose" test to mixed deals, others treat mass-market software like goods. The practical upshot for an Agile build, overwhelmingly a labor engagement, is that common-law principles such as substantial performance usually govern unless the contract says otherwise — and a careful contract should say otherwise where it wants a different rule.

Substantial performance versus perfect tender. Under the common law of services, a party who has substantially performed — rendered performance that, while imperfect, does not defeat the contract's essential purpose — may generally recover the contract price less damages for the shortfall, rather than forfeiting everything. The classic statement is Judge Cardozo's in Jacob & Youngs, Inc. v. Kent, 230 N.Y. 239 (1921), where a builder who installed the wrong (but equivalent) brand of pipe had still substantially performed; full payment may be due even where performance is imperfect, so long as it is substantial. By contrast, the UCC's "perfect tender" rule, U.C.C. § 2-601, lets a buyer of goods reject a delivery that fails to conform "in any respect" — far harsher for the seller, softened by the right to cure (§ 2-508). An Agile customer who assumes it can reject a sprint increment for any nonconformity is importing a goods rule into what is almost certainly a services contract; an Agile developer who assumes "close enough" always suffices forgets that the parties can contract for a stricter standard. The lesson: do not leave acceptance to the background default. Define it.

Acceptance as a legal event. Under the UCC, a buyer "accepts" goods by signifying conformity, by failing to make an effective rejection after a reasonable opportunity to inspect, or by acting inconsistently with the seller's ownership (§ 2-606); acceptance generally obligates payment and narrows the buyer's remedies (revocation under § 2-608 is available only in limited circumstances). Even outside the UCC, acceptance in a development contract is the moment the customer agrees that what it received conforms to what it was owed, with comparable consequences: payment becomes due, and the customer's ability to complain later shrinks. Agile distributes that legal event across the whole project — real upside (problems surface every two weeks) and real risk (early acceptances can come back to haunt the customer). Holding those consequences in mind turns "definition of done" from a project-management nicety into a contract clause that allocates money and risk.

Choosing the Pricing Model: T&M, Capped T&M, and Sprint-Based Pricing

Pricing is where the customer's desire for budget certainty collides most directly with the developer's desire to be paid for work actually performed. Customers prefer the certainty of a fixed price (pushing risk onto the developer); developers prefer to be paid for all time spent (pushing risk onto the customer). A common criticism of Agile is that its flexibility exposes the customer to pricing risk — but all projects are prone to scope change, and Agile is in fact better than waterfall at re-pointing spend toward what the customer still wants, so cost is less likely to be sunk into deliverables nobody needs. Three models dominate.

Time and materials (T&M). Under a pure T&M arrangement the customer pays for hours worked (plus expenses and materials) at agreed rates. This aligns naturally with Agile, because it does not require anyone to pre-define the deliverable. Its weakness is obvious: the customer bears all the budget risk. A sophisticated customer will rarely sign an open-ended T&M deal for a substantial build.

Capped (not-to-exceed) T&M. The standard compromise is T&M subject to a "not-to-exceed" cap: the customer pays for hours actually worked, but the developer agrees total charges will not exceed a stated ceiling without the customer's written approval. This preserves the flexibility Agile needs while giving the customer a hard budget. The drafting points that matter:

  • What the cap covers. The cap should be defined per phase or per release, not just as a single project-wide number, so the parties revisit the budget at natural decision points.
  • What happens at the cap. The contract should say whether the developer must keep working (and absorb the overage) or may stop and re-negotiate. The fair, common answer: the developer must promptly warn as charges approach the cap (e.g., at 80%) and may stop work, without breach, if the cap is reached and not raised.
  • Forecasting duty. Pair the cap with a developer obligation to provide regular burn reports — actual hours and spend against the cap, often visualized as a burn-down chart of remaining work against remaining time — so the customer is never surprised.

Sprint-based / fixed-price-per-sprint. Here the customer pays a fixed fee per sprint for a development team of defined size and composition. Because the time (one sprint) and capacity (team size) are fixed while the scope built within that capacity flexes, this model fits Agile especially well. It is sometimes called "fixed price, flexible scope": the customer buys a known quantity of skilled effort each cycle and uses the backlog to direct it to whatever is most valuable. Even a hard-budget customer benefits, because prioritization ensures the highest-value items get built first within the available money. The contract should address how team size and rate can be adjusted by agreement for future sprints — a sample formulation: "Client shall pay Developer a fixed fee of $[X] per Sprint for a Development Team of [Y] members; the parties may adjust the team size and corresponding Sprint fee for future Sprints by written agreement" — and what happens to an interrupted sprint.

A hybrid worth knowing: target-cost / shared risk-reward. For larger engagements, parties sometimes agree a target cost with a mechanism to share overruns and savings (the developer absorbs part of any overrun and shares part of any underrun). This aligns incentives but is complex to administer and is usually reserved for mature relationships.

Worked scenario — pricing (hypothetical). Acme Corp. engages Builder Software LLC to develop a logistics platform. Acme's CFO insists on a hard budget; Builder refuses pure fixed price because the requirements are admittedly immature. They settle on capped T&M: a per-release cap of $600,000, blended hourly rates, a Builder duty to issue weekly burn reports and a written alert at 80% of any release cap, and a right for either party to pause at a sprint boundary if the cap is reached. Acme gets its ceiling; Builder gets paid for real work and need not eat overruns it warned about.

Whatever the model, the pricing clause should expressly cross-reference the change-management and termination provisions, because the three operate as a system. Many of the same payment, audit, and termination considerations recur in subscription deals; our software license agreement review checklist toolkit walks through the parallel issues for licensed and SaaS products.

Structuring the Agreement: Master Agreement Plus Sprint-Based Statements of Work

The cleanest architecture for an Agile engagement separates the durable legal terms from the evolving work description. Use a master services agreement (MSA) for the terms that should not change sprint to sprint — IP ownership, warranties, limitation of liability, confidentiality, indemnities, insurance, data security, termination, dispute resolution, and governing law — and one or more statements of work (SOWs) for the project-specific description of what is being built and how it is paid for. SOWs can be added any time during the MSA's term, suiting a continuing relationship across one or more projects.

A statement of work is simply an attachment describing the services to be performed or goods to be delivered. The key discipline is that the MSA must contain an order-of-precedence clause stating how conflicts between the MSA and an SOW are resolved (typically the MSA's legal terms control unless an SOW expressly overrides a specific, identified section). Without that clause, a customer-favorable MSA can be quietly undone by a developer-favorable SOW, or vice versa — a particular danger when one side slips its own form SOW (almost always drafted in its favor) into a deal governed by the other side's MSA. A second, related discipline: be careful about pre-execution conduct. As long as the key terms are agreed, an exchange of emails or an oral understanding can form a binding contract, so negotiation correspondence should be marked "subject to contract," and a nonbinding term sheet should say plainly that only the signed SOW binds. An Agile team's collaborative, informal style makes such accidental contract formation a live risk.

Making the SOW Agile-native. A traditional, fixed-price SOW is highly detailed and technical — it must be, because it defines the deliverable. (T&M and cost-reimbursement deals, by contrast, tolerate a less exacting SOW.) An Agile SOW should be the opposite in one specific respect: it should describe the framework for delivering value, not an exhaustive feature list. A well-built Agile SOW typically contains:

  • The product vision and business objectives — what success looks like in business terms, focused on goals and benefits rather than technical solutions, stated at a level that should remain stable across the project. The product vision is the one document supposed to stay still.
  • The initial product backlog — the starting list of prioritized user stories, expressly labeled a living document the product owner may re-prioritize, supplement, and prune. (High-priority items should be the most clearly defined; lower-priority items may remain vaguer until they rise.)
  • The sprint cadence — sprint length (e.g., two weeks), the ceremonies (planning, daily stand-up, review, retrospective), and a rule worth stating expressly: sprint length is fixed and is not extended to absorb unfinished work; unfinished items return to the backlog.
  • Team composition and roles — who fills the product owner, Scrum Master, and development-team roles, and which party supplies each. (A caution: mixing customer and developer personnel on one team advances the collaborative ideal but blurs responsibility, making it harder to allocate blame — and to extract warranties — if the project fails.)
  • The definition of done and acceptance criteria — discussed in detail below.
  • Pricing and invoicing — the chosen model, rates or per-sprint fees, caps, and reporting duties.
  • A completion/exit standard — how the parties will know the engagement is finished (for example, when a defined set of high-priority backlog items has been delivered and accepted, after a set number of sprints, or upon either party's termination for convenience at a sprint boundary).

One drafting note carries real weight: user stories are not a substitute for a technical specification. They are deliberately informal — a conversation prompt in the everyday language of the business user. Genuinely mandatory requirements — a regulatory mandate, a security control, an interoperability or accessibility requirement, a public-procurement obligation — must be stated explicitly in the backlog (or in a "non-negotiable requirements" exhibit), not left to the loose language of a user story. A customer who buries a compliance obligation inside a casual story like "as a user, I want my data to be safe" has not contracted for anything enforceable. Our note on drafting and negotiating software license agreements handles mandatory specifications and representations generally.

The Product Owner: Turning a Scrum Role Into a Contractual Office

In Scrum, the product owner is the single person who decides what gets built and in what order. In an Agile contract, the product owner is also a legal linchpin, because so much of the project's risk allocation depends on that person's decisions. If the product owner deprioritizes a feature, the developer is generally off the hook for not delivering it; if the product owner accepts a sprint increment, the customer may be bound by that acceptance. The contract must therefore treat the product owner as a defined office with defined authority, not just a job title.

Effective drafting addresses four points.

  • Designation and authority. The contract should give the customer the right (and obligation) to appoint a named product owner with actual authority to prioritize the backlog, accept or reject sprint increments, and serve as the developer's single point of contact. A sample formulation: "Client shall designate a Product Owner with authority to make decisions regarding the Product Backlog, accept or reject Sprint deliverables, and serve as the primary point of contact for the Development Team." The developer's workflow depends on timely, authoritative decisions; a product owner who must "check with the committee" before every decision breaks the model.
  • Availability and responsiveness. Because Agile depends on close, frequent collaboration — the Manifesto calls for daily cooperation between business people and developers — the contract should obligate the customer to make the product owner reasonably available (to attend planning and review meetings and answer the team's questions within a stated time). This is not a courtesy clause; it is a customer obligation whose breach can excuse developer delay, because a developer starved of decisions cannot be held to a schedule.
  • The developer's legitimate interest in the choice. Project success depends on a competent product owner, so a developer may reasonably ask for some say — a right to be consulted on the appointment, or a requirement that the product owner have appropriate seniority, Agile experience, and decision-making authority.
  • Guarding against backdoor termination. Because the product owner controls the backlog, an unscrupulous customer could effectively cancel the project by deleting everything from the backlog while denying the developer the protections (minimum-term or early-termination compensation) that a formal termination would trigger. The developer should ensure that a wholesale gutting of the backlog is treated as a termination for convenience, with whatever compensation the termination clause provides — and be alert that an early-termination right can be wielded as leverage to reopen price.

Worked scenario — the absent product owner (hypothetical). Acme names a busy vice-president as product owner, but she attends only half the sprint planning meetings and takes two weeks to answer questions. Velocity collapses. When Acme complains about slow delivery, Builder points to the contract's product-owner-availability clause and its own contemporaneous logs of unanswered questions. Because the contract made product-owner responsiveness an express customer obligation, the delay is allocated to Acme, not Builder. Had the contract been silent, the parties would be litigating an open-ended "who caused the delay" question.

The same impulse — defining who has authority to bind whom — runs through good technology contracting generally, and relates closely to the assignment and authorization issues in our note on employee invention assignment agreements.

Acceptance, Acceptance Criteria, and the "Definition of Done"

"Acceptance" is the moment the customer agrees that what it received conforms to what it was owed — a legal event with consequences for payment and remedies. In a fixed-price waterfall deal, acceptance is a single event near the end, measured against the specification. Agile distributes acceptance across the whole project: the customer tests each sprint's increment as it is delivered. This is one of Agile's great risk-reduction features — it surfaces problems every two weeks instead of saving them for a catastrophic reveal at the end — but only if the contract defines acceptance carefully.

Two related but distinct concepts. Practitioners and engineers sometimes conflate them, and the contract should keep them separate:

  1. The definition of "done" is a general quality standard applying to every backlog item. It answers "what does it mean for any piece of work on this project to be finished?" — for example, code written and peer-reviewed, unit tests written and passing, integrated into the main build, documentation updated, and no known critical defects. It is negotiated up front and attached as an exhibit, and should be revisited at each sprint planning meeting to confirm how it applies to that sprint's items. The project as a whole is complete when every item the customer still wants has been finished in compliance with the definition of done.

  2. Acceptance criteria are item-specific tests. They answer "what does this particular story have to do to count as correctly built?" — for instance, "a user with an expired password is redirected to the reset page and receives a reset email within sixty seconds." They should be described in concrete detail, not left to the loose language of the user story, because the story is a conversation prompt and the acceptance criteria are the contractual test.

Drafting the acceptance mechanism. A robust clause typically provides that, at the end of each sprint, the developer demonstrates the completed increment; the customer (acting through the product owner) has a defined window — say, five business days — to test it against the definition of done and applicable acceptance criteria and accept or reject it in writing; rejection must specify the failed criteria; and unaccepted items return to the backlog rather than vanishing. (A well-drawn contract requires the product owner to put back on the backlog any items selected but not completed, and any completed items that failed acceptance — which is why mere failure to finish an item on schedule is not automatically a breach.) A sample formulation: "At the end of each Sprint, Developer shall demonstrate the completed work; Client shall have [X] business days to accept or reject it against the Definition of Done. Acceptance of Sprint deliverables shall not constitute final acceptance of the Project as a whole." Crucially, accepting a sprint increment is not final acceptance of the whole product and does not waive the customer's rights as to the integrated final system. Equally, the contract should fix when the deemed-acceptance clock runs — silence from the product owner past the review window should not silently bind the customer (or, if it does, both sides should know it).

The double-edged sword of incremental acceptance. Incremental acceptance protects the customer by catching problems early, but it also protects the developer, sometimes in ways customers do not anticipate. Once a customer has accepted early sprints, it may be hard to argue later that those increments were defective — for example, that they formed an inadequate architectural foundation for later work. Because the dependencies of later results on earlier ones are genuinely hard to foresee, this is not a hypothetical risk. Customers should therefore negotiate language preserving the right to raise architectural or integration defects even after accepting individual increments, while developers will want acceptance to be meaningfully final for the discrete functionality tested. There is no single right answer; the point is to decide deliberately, not discover the allocation in a deposition.

Worked scenario — done vs. accepted (hypothetical). In sprint three, Builder demos a payment-processing story. It works in the demo, so Acme's product owner clicks "accept." Two sprints later, under real load, the payment module fails because the early design did not account for concurrency. If the definition of done required load-testing and the acceptance criteria included a concurrency benchmark, the increment was never actually "done," and Builder must fix it at its own cost. If the definition of done was silent on performance and Acme accepted, Acme may be stuck — unless it preserved a separate right to raise integration-level defects. The drafting, not the demo, decides who pays.

Change Management Without Formal Change Orders

The single most important conceptual shift for a lawyer moving from waterfall to Agile is this: in Agile, change is the normal operating state of the project, not an exception to be papered. The waterfall change-control process — every scope change requires a signed change order and usually an added fee — is not merely unnecessary in Agile; it actively fights the methodology, where scope changes happen constantly, by design, through ordinary backlog re-prioritization. (This is also why scope creep, the classic budget-killer, is more containable in Agile than in waterfall: the method points forward toward what the customer needs next, not backward toward what it thought it needed at kickoff.) If the contract requires a formal change order for each change, the parties will either drown in paperwork or, more likely, ignore the requirement and create a fatal gap between contract and conduct.

The better approach replaces "change control" with bounded flexibility: the contract grants the product owner broad authority to reshape the backlog within the agreed budget and cadence, and reserves formal-amendment machinery for changes that cross defined thresholds. Several drafting techniques accomplish this:

  • The fixed-capacity, flexible-scope frame. Under sprint-based pricing (a fixed fee per sprint for a fixed-size team), re-prioritizing within a sprint's capacity has no price effect at all — the customer is buying a fixed quantity of effort and may point it wherever it wants. Change "management" largely collapses into ordinary product-owner prioritization, and the contract simply needs to confirm this is permitted and is not "extra work."

  • Effort thresholds for amendments. Where the budget is capped, the contract can provide that the product owner may freely re-prioritize, add, and remove backlog items, but that a change increasing the total estimated effort (in story points or hours) beyond a stated threshold — or beyond the not-to-exceed cap — requires a written amendment in which the parties negotiate, in good faith, any adjustment to budget or timeline. This gives the customer full day-to-day flexibility while protecting the developer from unlimited, uncompensated expansion. A much-used formulation: "The Product Owner shall have the authority to add, remove, or reprioritize items in the Product Backlog, provided that changes increasing the total estimated effort by more than [20]% shall require a formal written amendment, and the parties shall negotiate in good faith any corresponding adjustment to the project timeline or budget." The percentage is a negotiation point, not a magic number — pick one the parties can actually monitor against a baseline estimate.

  • The "swap" convention. A common practical rule: the product owner may swap a not-yet-started item out of a sprint and a roughly equivalent item in, at no charge, but adding net new effort beyond the planned capacity triggers re-pricing. This mirrors how Agile teams actually work and is easy for lawyers and engineers alike.

  • The doctrinal backstop: cardinal change. Even with these mechanisms, parties should understand the outer limit. Borrowed from government-contract law, the doctrine of "cardinal change" recognizes that a change so fundamental it effectively creates a different contract is outside the original bargain — the contractor is not obliged to perform it for the original price and may seek separate compensation. The Agile analogue is a pivot so drastic the project becomes a different project (the logistics platform becomes a consumer social app). No amount of routine backlog flexibility covers that; it requires a new or materially amended agreement. An express "material pivot" or "cardinal change" clause — defining what counts and what happens (re-scoping, re-pricing, or termination with compensation for work done) — gives both sides a predictable off-ramp.

Worked scenario — the pivot (hypothetical). Midway through the build, user testing convinces Acme to abandon the logistics platform's warehouse-management module entirely and pursue a different market. Ordinary re-prioritization would let Acme drop warehouse stories and add new ones within budget — but this change is far larger: it discards months of completed, accepted work and redirects the whole project. Because the contract contains a material-pivot clause, the parties invoke it: a re-scoping review, a revised completion definition and budget, and a rule for the abandoned-feature code (here, Builder keeps the right to reuse generic, non-Acme-specific components, while Acme owns the Acme-specific work it paid for). The change is absorbed without a dispute, because the contract anticipated it.

The throughline: good Agile change management is not the absence of discipline; it is discipline relocated from the change-order desk to the backlog and to a small number of well-defined thresholds.

Intellectual Property: Work Made for Hire, Written Assignment, and the Implied License Trap

Who owns the software is the question that most often turns a friendly project into a lawsuit, and Agile's incremental creation of code makes the answer less intuitive than clients assume. The default rule frequently surprises people: the developer, not the paying customer, usually owns the copyright in custom code unless the contract says otherwise. And in iterative development the line between pre-existing and newly created IP blurs sprint to sprint, so the contract must draw it.

Copyright vests in the author. Under U.S. copyright law, copyright in an original work — including software source code, which the Copyright Act protects as a "literary work" — vests initially in the author, 17 U.S.C. § 201(a). When an independent contractor (an outside development firm) writes the code, the contractor is the author and initial owner; paying does not, by itself, transfer ownership. So a customer who hires Builder Software LLC and assumes "we paid for it, so we own it" is, absent contract language, very likely wrong.

The work-made-for-hire doctrine, 17 U.S.C. § 101. Two routes change that default, both depending on the work-made-for-hire doctrine and on written assignment. The Copyright Act defines a "work made for hire" in § 101 as either (1) a work prepared by an employee within the scope of employment, or (2) a work specially ordered or commissioned for use in one of nine enumerated categories — but only if the parties expressly agree in a written, signed instrument that the work shall be considered a work made for hire. When a work is a work made for hire, the law treats the hiring party as the author and owner from the outset.

This doctrine has two traps for custom software.

  • The employee/contractor distinction. The first prong covers only employees acting within the scope of employment, as "employee" is understood under common-law agency principles. The Supreme Court fixed that framework in Community for Creative Non-Violence v. Reid, 490 U.S. 730 (1989), directing courts to weigh a multi-factor agency test (control over the work, source of the tools, skill required, provision of benefits, tax treatment, and so on). The Second Circuit applied Reid to a computer programmer in Aymes v. Bonelli, 980 F.2d 857 (2d Cir. 1992), holding that a programmer who set his own hours, used his own judgment, received no benefits, and was paid without tax withholding was an independent contractor — so his code was not a work made for hire, and the company that paid did not own the copyright. Outside development firms look like the programmer in Aymes, not employees, so the first prong usually does not apply to a development-firm engagement. This is also why a software company must have solid invention-assignment and work-made-for-hire agreements with its own employees and individual contractors — treated at length in employee invention assignment agreements.

  • The nine-category problem. The second (commissioned-work) prong operates only if the work fits one of nine listed categories — a contribution to a collective work, a part of a motion picture or audiovisual work, a translation, a supplementary work, a compilation, an instructional text, a test, answer material for a test, or an atlas. Standalone custom application software fits none of the nine clearly. So calling custom software a "work made for hire" in the contract may simply not work as a matter of law, because the statutory predicate is missing.

The implied-license trap. Here is the danger most customers never see coming. If the contract says nothing useful about ownership, the customer is not left empty-handed — but what it gets may be far less than it bargained for. Courts will sometimes find that a developer who created software at a customer's request, delivered it, and intended the customer to use it has granted an implied, nonexclusive license to use it, even absent any writing. The leading case is Effects Associates, Inc. v. Cohen, 908 F.2d 555 (9th Cir. 1990), where a filmmaker who commissioned and paid for special-effects footage received an implied license to use it though the creator retained the copyright. Translated to software: a customer with no IP clause may end up with a bare license to use the code — but not ownership, not the right to exclude others, not necessarily the right to modify it or hand it to a competing developer for maintenance; and an exclusive transfer of copyright is unenforceable anyway unless in a signed writing, 17 U.S.C. § 204(a). "We have an implied license" is a thin, litigated consolation prize compared to "we own it." (And recall that even routine use makes copies the Act regulates: MAI Systems Corp. v. Peak Computer, Inc., 991 F.2d 511 (9th Cir. 1993), held that loading software into RAM creates a "copy" — precisely why a customer needs an express license or ownership rather than a guess about implied permissions.)

The fix: a present assignment plus a work-for-hire recital. Because the work-made-for-hire label is unreliable for custom software, experienced drafters do not rely on it alone. The standard solution is a belt-and-suspenders clause: the developer agrees the deliverables are works made for hire to the extent permitted by law, and, to the extent any deliverable is not (or cannot be), the developer presently assigns all right, title, and interest in the deliverables to the customer. A present assignment ("Developer hereby assigns") is generally stronger than a promise to assign in the future ("Developer agrees to assign"), which may require a further act to complete the transfer and can be defeated by intervening events. The assignment must be in a signed writing to be effective, § 204(a). The clause should also obligate the developer to execute any further documents needed to perfect and record the assignment, and to obtain the same rights from its own employees and subcontractors up the chain.

Background IP versus project IP. A separate, equally important line must be drawn between background IP (pre-existing tools, libraries, frameworks, and know-how the developer brings to the project, sometimes called "developer materials") and project IP (the new, customer-specific work created during the engagement). Developers almost never assign background IP — it is the engine of their business and is reused across clients — but the deliverables usually cannot function without it. The standard resolution: the customer takes ownership of the project IP and receives a broad, perpetual, irrevocable, royalty-free, non-exclusive license to use, maintain, and modify any embedded background IP as necessary to exploit the deliverables. Failing to address background IP is a classic trap — the customer "owns" the software but cannot use it without a license to the libraries woven through it.

Timing of transfer in an incremental build. Agile's sprint-by-sprint creation raises a timing question a waterfall contract never faced: when does ownership pass — at final delivery, or increment by increment? The cleanest, most common answer ties IP transfer to payment, sprint by sprint: upon payment for each sprint, ownership of that sprint's deliverables vests in (or is assigned to) the customer. A sample formulation: "Upon payment for each Sprint, Developer hereby assigns to Client all right, title, and interest in the Intellectual Property created during that Sprint; Developer retains its Background IP but grants Client a non-exclusive, perpetual license to use it as necessary to exploit the Project IP." This protects both sides: the customer is not left holding a half-built system it cannot legally use if the relationship ends mid-project, and the developer retains leverage by not transferring IP for unpaid work. The contract should also state what happens to work-in-progress on early termination — typically, the developer delivers completed and in-progress work for the sprints already paid, and a pro-rata payment covers a partially completed final sprint.

Worked scenario — ownership gap (hypothetical). Acme terminates after sprint six over a budget dispute, having paid for sprints one through five. Builder's contract assigns each sprint's IP "upon payment for that sprint." Acme therefore owns and may freely use sprints one through five (with a license to Builder's embedded background framework), but not the unpaid sprint-six work. Had the contract said only "all IP transfers on final acceptance," there would have been no final acceptance — and Acme might own nothing it had paid five sprints to build, holding at most an Effects Associates-style implied license to run the code as-is.

For a deeper treatment of the interplay between copyright, patent, trade-secret, and contractual protection of code, see legal protection of software.

Open-Source and Third-Party Components: License Compliance as a Drafting Problem

Virtually no modern application is written entirely from scratch. Development teams — and Agile teams especially, because speed and reuse are core values — assemble software from open-source software (OSS) components and third-party libraries. That is enormously efficient, and it imports license obligations that, if ignored, can compromise the very IP ownership the parties just carefully allocated. "Open source" does not mean "free of obligations." OSS is licensed under copyright, and every OSS license imposes conditions; violate them and you may be not merely in breach of contract but infringing the copyright in the component.

The spectrum of OSS obligations. OSS licenses (the Open Source Initiative recognizes scores of them) range along a spectrum from permissive to strongly reciprocal:

  • Permissive licenses (such as MIT, BSD, and Apache 2.0) impose light obligations — typically that you preserve copyright and license notices and include a copy of the license; Apache 2.0 also adds an express patent grant and a notice-file requirement. They generally let you incorporate the component into proprietary, closed-source products without releasing your own code.

  • Reciprocal or "copyleft" licenses (most famously the GNU General Public License, GPL) impose a far more consequential condition: if you distribute software that incorporates GPL-licensed code in a way that creates a "derivative work," you must make the combined work's source code available under the same GPL terms. For a company trying to deliver proprietary software it owns, an inadvertent GPL "infection" can be catastrophic — the obligation to open-source code the customer believed was its exclusive, proprietary asset. "Weak copyleft" licenses (LGPL, MPL) sit in between, generally requiring you to share modifications to the component itself but not your entire surrounding application, subject to specific linking and distribution conditions.

The distinctions are technical and the stakes are high; we treat them in depth in open-source licensing landmines in enterprise software development, provide ready-to-use tools in our open-source compliance checklists collection, and survey the field in open source software.

Why this is acute in Agile. Agile's rapid cadence and emphasis on reuse mean components get pulled in quickly, often by individual developers under sprint pressure, sometimes without legal review. Across dozens of sprints, the cumulative inventory of dependencies (and the dependencies of those dependencies — the "transitive" tree) can become large and poorly documented. Contract and process must therefore make compliance a continuous discipline.

Drafting and process controls. A sound Agile agreement addresses OSS through both contract terms and operational requirements:

  • Disclosure and approval. The developer should disclose all OSS and third-party components incorporated into the deliverables — increasingly via a software bill of materials (SBOM), a machine-readable inventory of components and their licenses — and obtain the customer's approval before introducing any component under a copyleft or otherwise restrictive license. Many enterprise customers maintain an OSS policy pre-approving certain permissive licenses and flagging others, which the contract can incorporate by reference.

  • Compliance warranty. The developer should warrant that its use of OSS and third-party components complies with the applicable licenses and that no component will, by its terms, require the customer's proprietary code to be disclosed, licensed for free, or subjected to copyleft obligations — a warranty against unwanted copyleft contamination.

  • IP indemnity that reaches OSS. The developer's IP indemnity should extend to claims arising from the OSS and third-party components it chose to incorporate, so the developer — who selected them — bears the risk of a license-compliance or infringement claim, not the customer.

  • Notice and attribution delivery. Because even permissive licenses require preserving notices, the contract should require the developer to deliver all required attribution and license notices with the software, so the customer can satisfy those conditions when it distributes the product.

Worked scenario — the copyleft surprise (hypothetical). Under sprint pressure, a Builder developer drops in a convenient image-processing library that turns out to be GPL-licensed. Builder delivers, Acme accepts, and Acme later wants to license the platform as a proprietary product. A diligence review flags the GPL component: distributing the proprietary platform with the GPL library embedded could trigger an obligation to release Acme's source code. Because Builder's contract contained an OSS-disclosure requirement, a no-copyleft-contamination warranty, and an IP indemnity reaching third-party components, Acme can require Builder to remediate (replace the component or obtain a commercial license) at Builder's cost. Without those terms, Acme would face the choice of open-sourcing its crown jewels or stripping and rebuilding a feature — on its own dime.

Warranties and Limitation of Liability in an Evolving Product

Warranties and the limitation of liability are where each party defines how much risk it is taking. Agile complicates both, because the traditional warranty model — a promise that the software conforms to a fixed specification — is built on a specification that, in a real Agile project, does not exist at signing. The customer arguably takes on greater legal risk than in a waterfall deal, where the developer typically warrants compliance with detailed functional and technical specifications and the parties allocate risks like third-party infringement through indemnities. Adapting that machinery to a moving target is the task.

Re-anchoring the warranty. Several adaptations are common.

  • Warrant against a product description rather than a frozen spec. Because the specification emerges over time, the customer can ask the developer to create, as the project matures, a description of the product and its functionality, and warrant conformity to that description for a defined warranty period — a yardstick built during the project rather than imposed at the start.

  • Warrant the process and professionalism. The developer typically warrants that it will perform in a professional, workmanlike manner consistent with applicable industry standards and Agile best practices, using suitably qualified personnel — a genuine, enforceable commitment even though it speaks to how the work is done rather than to a fixed output.

  • Defect-correction commitment. Developers rarely warrant that complex software is error-free (no one can honestly promise that). A common formulation captures the realistic alternative: the developer warrants it will perform in accordance with Agile best practices and industry standards, does not warrant the software will be error-free, but will promptly address, within a defined warranty period and per an agreed prioritization process, defects that cause the software to fail to conform to its acceptance criteria or product description. Severity tiers (critical, major, minor) with corresponding response and resolution targets make this concrete.

  • Increment versus whole. The parties must decide whether warranties attach to each increment as delivered or only to the product at the end of the term — and when warranty periods start to run for early increments. A customer will not want the warranty on sprint-one code to expire before the product is even finished; tying the warranty clock for all components to final acceptance (or release) usually serves the customer better. Where the team mixes customer and developer personnel, expect the developer to resist robust warranties, because shared authorship muddies fault.

  • The usual third-party warranties. Independent of methodology, the developer should warrant non-infringement of third-party IP and (as discussed above) license compliance, backed by an indemnity — these do not change merely because the project is Agile.

Limitation of liability. This clause caps and channels the developer's exposure — typically excluding indirect, consequential, and incidental damages (lost profits, lost data, business interruption) and capping direct damages at a stated figure (often a multiple of fees paid). Three Agile-specific points deserve attention.

  1. The cap base. Where fees are paid sprint by sprint and may be modest at any moment, a cap pegged to "fees paid in the prior twelve months" can leave the customer badly under-protected for a serious failure. Negotiate the cap base deliberately — total fees paid under the SOW, or a fixed floor amount, rather than a rolling short window.

  2. Carve-outs. Customers should insist that certain liabilities sit outside the cap and the consequential-damages exclusion — commonly IP-infringement indemnity, breach of confidentiality, and breach of data-security obligations — precisely the risks where a low cap would gut the customer's protection.

  3. Enforceability and conscionability. Negotiated commercial limitation clauses are generally enforced — courts routinely uphold bargained-for risk allocations between sophisticated parties, and decisions like ProCD, Inc. v. Zeidenberg, 86 F.3d 1447 (7th Cir. 1996), reflect the broad freedom of contract that governs software deals. But they are not bulletproof. Where the UCC applies, an exclusive or limited remedy that "fail[s] of its essential purpose" can be set aside, U.C.C. § 2-719(2), and an unconscionable consequential-damages exclusion will not be enforced, § 2-719(3); even at common law, a clause that leaves a party with no meaningful remedy, or that is buried and one-sided against a much weaker party, invites attack. Clear, mutual, conspicuous clauses fare far better than hidden, lopsided ones. For the comparable analysis in licensing deals, see our software license agreement review checklist toolkit.

Worked scenario — the cap that vanished (hypothetical). Acme's contract caps Builder's liability at "fees paid in the preceding three months." A latent defect in early code corrupts Acme's customer data nine months after Acme stopped active development and largely stopped paying; the rolling three-month cap is now near zero. Had Acme negotiated (a) a cap based on total SOW fees with a fixed floor, and (b) a carve-out placing data-security breaches outside the cap, its protection would have survived the lull. The methodology did not create this problem; the failure to adapt boilerplate to a sprint-based payment stream did.

Performance metrics and service levels. Traditional service-level agreements, written around milestone-completion percentages against a fixed specification, fit Agile poorly because spec and milestones are both moving. Three adaptations help. First, prefer outcome-based metrics — did the increment meet its acceptance criteria and the definition of done — over compliance with an up-front spec that no longer describes the product. Second, where the parties want a throughput measure, use Agile-native metrics such as velocity (story points completed per sprint) or burn-down rate (remaining work against remaining time), but with care: velocity is a planning tool, not a guarantee, and a contract that turns raw velocity into a penalty incentivizes point inflation rather than value. Third, review and adjust agreed service levels periodically, because what is worth measuring changes as the product matures. For scaled programs, frameworks such as the Scaled Agile Framework (SAFe) offer ready vocabulary and metrics contracts can incorporate by reference to keep multiple vendors measuring the same things the same way.

Data Security and Privacy Obligations

When the software will collect, store, or process personal or sensitive data — which is to say, most software — data-security and privacy obligations must be woven into the agreement and, just as importantly, into the development process. Agile's iterative nature makes the once-popular idea of bolting on security "at the end" both impractical and dangerous; security and privacy must be designed in from the first sprint ("shifting left").

Security obligations. The contract should require the developer to follow recognized security standards and secure-development practices, handle any customer or end-user data only as instructed and as necessary to perform the services, and maintain appropriate administrative, technical, and physical safeguards. Increasingly, customers require alignment with frameworks such as the NIST Cybersecurity Framework or SOC 2 controls. The agreement should also include incident-response obligations: prompt notification of any security incident, cooperation in investigation and remediation, and a clear allocation of responsibility and cost. Because a breach can also expose trade secrets embedded in or processed by the software, the security clauses should dovetail with confidentiality protections — see cybersecurity incident response and IP protection.

Privacy obligations. If personal data is involved, the developer is frequently acting as a service provider or processor under privacy laws — including U.S. state statutes such as the California Consumer Privacy Act (as amended by the CPRA) and its growing list of counterparts, and the EU/UK GDPR. These laws often require specific contractual terms (a GDPR Article 28 data-processing agreement or a CCPA service-provider clause) restricting how the processor may use the data, requiring security measures, and addressing sub-processors, data-subject rights, deletion, and audit. The contract should also require privacy by design — building data-minimization, consent, and access controls into the backlog as first-class requirements.

Cross-border data. Where the Agile team is distributed across countries (increasingly the norm), personal data may move across borders, implicating international transfer rules — and, with distributed teams, employment-law, contractor-classification, and cross-jurisdiction IP questions besides. Transfers of EU personal data outside the EEA generally require a lawful transfer mechanism — most commonly the European Commission's Standard Contractual Clauses, often paired with a transfer-impact assessment after Schrems II; see international data transfers after Schrems II. A global Agile contract should specify where development and data processing may occur and require compliance with the applicable transfer regime.

The practical drafting lesson: these obligations must be expressed as mandatory, non-negotiable backlog requirements, not user stories the product owner is free to deprioritize. A privacy or security control that can be swapped out of a sprint to make room for a flashier feature is not a control at all.

Agile in Regulated and Government Settings

Two contexts deserve special attention because they superimpose external rules on top of the contract: regulated industries and government procurement.

Regulated industries. Where the software operates in healthcare, financial services, life sciences, or another regulated sector, the product must comply with sector-specific law throughout its evolution — HIPAA for protected health information, the panoply of financial-services and consumer-protection rules, FDA requirements for software that qualifies as a medical device, and so on. Regulators increasingly accept Agile, but they expect the evidence of compliance — design history, risk analysis, validation, traceability from requirement to test — that Agile teams sometimes under-document. The contract should require that regulatory and validation requirements be captured as mandatory backlog items, that the definition of done include the documentation and testing the regulator expects, and that the developer maintain the audit trail (who changed what, when, and why) regulated environments demand. Agile's flexibility is fully compatible with regulation, but only if traceability and documentation are treated as part of "done" rather than overhead.

Government procurement. Government agencies have embraced Agile (the U.S. federal government's own digital-services playbooks now favor iterative delivery), yet government contracting rules were built around fixed-scope, fixed-price, milestone-based procurement. A common, proven solution is a hybrid: a fixed budget for a defined number of sprints, a high-level statement of objectives rather than a detailed specification, mandatory features stated explicitly, regular demonstrations and stakeholder reviews to satisfy oversight and transparency requirements, clear criteria for overall project success, and a backlog-reprioritization mechanism bounded by defined parameters. Government contracts also bring their own overlay of clauses, and standard commercial software terms frequently conflict with mandatory federal requirements (indemnification, choice of law, audit rights, rights in data), so a developer's boilerplate cannot simply be dropped into a government deal. The "cardinal change" doctrine discussed earlier is, fittingly, a creature of government-contract law, and its presence is one reason agencies watch scope evolution closely. The lesson from successful programs: clear governance, defined decision rights, and disciplined transparency let an agency capture Agile's adaptiveness while satisfying its accountability obligations.

Worked scenario — the multi-vendor program (hypothetical). A government agency runs a large modernization program using several vendors under a scaled-Agile framework. To keep them aligned, the agency uses a master agreement with consistent legal terms for all vendors, supplemented by vendor-specific SOWs; standardizes sprint cadence and reporting; specifies a single, shared definition of done and quality standard; assigns explicit responsibility for the integration points between vendors' work; and provides for joint retrospectives. Early coordination friction is real, but because the contractual architecture forced alignment, the integrated system is delivered in value-adding phases rather than collapsing under cross-vendor finger-pointing.

Emerging Frontiers: AI-Assisted Development, Smart Contracts, and Agile Beyond Software

Several developments are reshaping the questions an Agile contract must answer, and counsel drafting today should keep them in view.

AI and machine learning in the development process. Agile teams increasingly write code with AI coding assistants and build products whose core is a trained machine-learning model. Both inject new questions into the IP, warranty, and liability provisions above. Ownership becomes murkier: the work-made-for-hire and assignment machinery presupposes a human author, and code substantially generated by an AI tool raises authorship questions the standard clauses do not cleanly resolve — so the contract should address who owns AI-assisted output and require disclosure of which tools were used and on what terms. Liability expands: where the product makes decisions via a machine-learning model, the parties must allocate responsibility for its outputs, error rates, and bias, none of which map neatly onto a "conforms to specification" warranty. And the data used to train or fine-tune a model carries its own privacy, licensing, and confidentiality obligations that belong in the backlog as mandatory requirements. See our notes on artificial intelligence key legal issues and AI-generated inventions — who owns what the machine creates.

Smart contracts and blockchain in project administration. Blockchain-based smart contracts can automate parts of the Agile machinery itself — releasing payment automatically when a sprint increment is marked accepted, or maintaining an immutable, tamper-evident record of backlog changes and approvals (directly addressing the evidentiary-record problem discussed below). The promise is real, but so are the cautions: a self-executing payment trigger is only as good as the off-chain "acceptance" signal that feeds it, smart-contract code defects are hard to reverse, and the enforceability of automated terms is still maturing. Counsel experimenting with these tools should keep a human-readable master agreement as the controlling legal instrument and treat the on-chain logic as an automation layer beneath it.

Agile beyond software. Agile principles are migrating into marketing, hardware, manufacturing, and other domains, and the contracting techniques in this article — bounded-flexibility scope, sprint-based pricing, incremental acceptance, defined decision-making roles — travel surprisingly well to those engagements. The same is true within the law firm itself: iterative delivery of complex legal projects, kanban boards for workload management, and sprint-like structures for focused matter work increasingly serve clients in fast-moving technology markets. The point for the drafter is that "Agile" is no longer a software-only concern, and the flexible-yet-bounded frameworks described here are a starting template wherever iterative delivery meets a contractual relationship.

Dispute Avoidance and Resolution

The best Agile contract resolves most disagreements before they harden into disputes, and channels the rest into proportionate, relationship-preserving forums. Agile has a structural advantage here: its frequent ceremonies — sprint reviews, retrospectives, daily stand-ups — surface problems early and create a habit of collaborative problem-solving. A good contract leverages that culture rather than fighting it.

Build the evidentiary record. Agile's informality is its Achilles' heel in litigation. Because so much is decided in conversation, the documentary trail a court or arbitrator expects — written acceptances, recorded prioritization decisions, change approvals — is often thin, and that thinness can defeat an otherwise valid remedy. Counsel should therefore require that key decisions be memorialized: written acceptance or rejection of sprint increments (with reasons), a maintained and dated backlog showing prioritization changes, and records of any decision crossing a contractual threshold. Modern Agile tooling (issue trackers, version control, CI/CD logs) generates much of this automatically; the contract should require these records be maintained and made available, and designate them as the agreed record of what was prioritized, delivered, and accepted. This single discipline prevents the most common Agile dispute: a swearing contest over who deprioritized what.

A tiered, collaboration-first escalation clause. Rather than jumping straight to litigation, the agreement should require a graduated process: first, escalation within the project (the product owner and the developer's project lead attempt to resolve the issue within a stated number of days); then escalation to senior executives of each party; then a structured ADR step — mediation, or arbitration — before, or instead of, court. A continued-performance clause (the parties keep working and the customer keeps paying undisputed amounts during the process) keeps a fixable disagreement from killing the project. For the mechanics and trade-offs, see our overview of arbitration as alternative dispute resolution.

Choose the forum deliberately. Whether to mandate arbitration or litigation, and where, is a strategic choice. Arbitration offers privacy (valuable when trade secrets and source code are in play), subject-matter-expert arbitrators, and finality; litigation offers appellate review and certain procedural protections. Because software disputes are technical, the ability to put the matter before a decision-maker who understands development — common in arbitration — is a real advantage. Whatever the forum, specify governing law and venue clearly; an ambiguous or absent choice invites a costly preliminary fight before anyone reaches the merits.

Termination as the ultimate dispute-avoider. Finally, well-drafted termination provisions are themselves a dispute-avoidance tool. Because Agile delivers value incrementally, both parties should have clean exits at sprint boundaries: the customer should generally be able to terminate for convenience at the end of a sprint or after a defined number of sprints (Agile's short cycles cap the customer's downside), while the developer should be protected by a minimum term or compensation for committed-but-unused capacity, and by the rule that gutting the backlog counts as a termination triggering those protections. The contract should spell out what happens on termination: delivery of completed and in-progress work, transfer of IP for paid sprints, transition assistance, return or deletion of data, and final payment (including pro-rata payment for a partially completed sprint). A relationship that can end cleanly is far less likely to end in court.

Key Takeaways

The legal challenge of Agile software development is not that the method is lawless; it is that most software contracts are still written for a method nobody uses anymore. The recurring theme is fit: the contract must match the iterative, collaborative, scope-flexible reality of how software is actually built.

  • Stop fighting iteration. Fixed-scope, fixed-price contracting assumes a specification an honest Agile project does not have at signing. Build the contract around goals, budget, and process, not a frozen feature list. And know the default rules: a development engagement is usually a services contract governed by common-law substantial performance, not UCC perfect tender — so do not leave acceptance, cure, or remedy to background law you may not have intended.
  • Pick a pricing model that fits, and structure cleanly. Capped (not-to-exceed) time-and-materials with forecasting duties, or fixed-price-per-sprint ("fixed capacity, flexible scope"), give budget control without forcing the project back into waterfall. Put the legal terms in a master agreement and the project description in sprint-based statements of work, with an order-of-precedence clause to resolve conflicts.
  • Make the product owner a contractual office. Define the product owner's authority and the customer's duty to keep that person available and responsive; responsiveness is a customer obligation whose breach can excuse developer delay.
  • Define "done" and acceptance precisely. Keep the general definition of "done" separate from item-specific acceptance criteria, distribute acceptance across sprints, and decide deliberately how incremental acceptance affects later claims.
  • Replace change orders with bounded flexibility. Let the backlog absorb routine change for free; reserve formal amendments for changes crossing defined effort or budget thresholds; and provide a "cardinal change" off-ramp for true pivots.
  • Nail down IP. Do not rely on the work-made-for-hire label alone for custom software (§ 101's nine categories may not fit, and contractors are not employees under Aymes); use a present written assignment as backstop, license in necessary background IP, tie incremental transfer to payment, and never settle for an Effects Associates implied license when you can own the code.
  • Treat open source as a continuous compliance obligation. Require disclosure (ideally an SBOM), approval of copyleft components, a no-contamination warranty, and an IP indemnity reaching third-party code.
  • Adapt warranties, liability caps, and metrics. Warrant against an emerging product description and the developer's professionalism; choose a cap base and carve-outs that survive a sprint-based payment stream; prefer outcome-based service levels and treat velocity as a forecast, not a guarantee; and remember that even enforceable limitations can fail of their essential purpose.
  • Bake in security and privacy. Make data-security and privacy mandatory backlog requirements, include the required processor/service-provider terms, and address cross-border transfers for distributed teams.
  • Avoid disputes by design. Memorialize prioritization and acceptance decisions, use a tiered escalation clause with continued performance, choose the forum deliberately, and provide clean termination off-ramps at sprint boundaries.

Done well, an Agile contract is not a cage that constrains the project; it is a frame that lets the project flex safely — adaptive where the work is adaptive, firm where the parties' rights and risks must be firm.

Frequently Asked Questions

Is a fixed-price contract ever appropriate for an Agile project? Rarely for the project as a whole, but sometimes for narrow, well-understood sub-components or for a discovery/inception phase whose deliverable (a product vision and initial backlog) really is definable in advance. For the main build, capped time-and-materials or fixed-price-per-sprint almost always fits better, preserving the scope flexibility Agile depends on while still giving the customer budget control.

If we paid a development firm to write our software, don't we automatically own it? Usually not, absent the right contract language. Copyright in custom code vests initially in its author — the contractor (see Aymes v. Bonelli, applying CCNV v. Reid) — and merely paying does not transfer ownership. Custom application software also often does not fit the nine statutory categories that make commissioned work a "work made for hire" under § 101. Worse, with no IP clause you may end up with only an implied, nonexclusive license to use the code (as in Effects Associates v. Cohen), not ownership. The reliable fix is a present written assignment from the developer (with a work-for-hire recital to the extent it applies), plus a license to any embedded background IP.

What is the difference between the "definition of done" and "acceptance criteria"? The definition of done is a general quality standard applied to every work item (for example, code reviewed, tests passing, integrated, documented). Acceptance criteria are specific to an individual feature and define exactly what that feature must do to be considered correctly built. A piece of work must satisfy both before it should be accepted — and "accepted" is a legal event that triggers payment and narrows remedies, so the standard is worth getting right.

How do we handle scope changes without a formal change order for each one? Grant the product owner authority to re-prioritize the backlog freely within the agreed budget and cadence, and reserve formal amendments only for changes exceeding a defined effort or budget threshold (or the not-to-exceed cap). Add a "cardinal change" or material-pivot clause for changes so fundamental they amount to a different project. This replaces continuous paperwork with a small number of clear triggers.

Why is open-source license compliance such a big deal in Agile projects? Agile teams reuse components heavily and quickly, often without legal review, so a project can accumulate many dependencies across dozens of sprints. Some open-source licenses — especially "copyleft" licenses like the GPL — can require you to release your own proprietary source code if their components are incorporated into a distributed combined work. Disclosure requirements (ideally an SBOM), approval gates for copyleft components, a no-contamination warranty, and an IP indemnity protect against an expensive surprise.

Can government agencies and regulated companies really use Agile? Yes, and many do. The key is adding the documentation, traceability, transparency, and governance those environments require — capturing regulatory and validation requirements as mandatory backlog items, building the necessary documentation into the definition of done, and using hybrid contract structures (such as a fixed budget for a set number of sprints against a statement of objectives) that satisfy procurement rules while preserving Agile's adaptiveness.

Related Articles

This article is provided by mclaw.io for general informational purposes only. It does not constitute legal advice, does not create an attorney-client relationship, and should not be relied upon as a substitute for advice from qualified counsel licensed in your jurisdiction. Laws, regulations, and licenses change, and their application depends on the specific facts of each engagement. If you are negotiating, drafting, or disputing an Agile software development agreement, consult a qualified attorney about your particular circumstances.