A software contract lands on a Thursday and the business wants it signed Monday because the vendor's quarter closes. Somewhere in those forty pages is a clause capping the vendor's liability at one month's fees, another letting the vendor use your uploaded data "to improve its products and services," and a third letting it audit your usage and bill overage at "then-current list prices" — triple what you negotiated. None of them is bolded. All of them matter if anything goes wrong. Reviewing a license well is not reading every word with equal care; it is knowing which words carry the risk, what they are supposed to say, and what to do when they say something else. Work this checklist in order: context first, then the grant, then the risk-allocation clauses, because the same clause can be a deal-killer in one transaction and a non-issue in another.

One framing point changes how you read everything: almost no commercial software is sold — it is licensed, specifically to keep you a licensee rather than an owner who could invoke the first-sale doctrine (17 U.S.C. § 109). Vernor v. Autodesk, Inc., 621 F.3d 1102 (9th Cir. 2010), blessed this where the agreement retains title, restricts transfer, and imposes use restrictions. The sharp edge: exceeding the scope of the grant can be copyright infringement, not mere breach. Adobe Systems Inc. v. One Stop Micro, Inc., 84 F. Supp. 2d 1086 (N.D. Cal. 2000), held out-of-scope sales were infringement as a matter of law — with statutory damages, fees, and injunctions a plain breach claim lacks. Read the grant accordingly.

Phase 1 — Pre-Review Context

  • Identify the deployment model: ☐ SaaS ☐ On-Premise ☐ Hybrid
  • Gather the business facts: total contract value (annual and multi-year), business criticality, user/seat count, data sensitivity, integration needs, expected duration, alternatives considered, and timeline pressure
  • Identify every regulatory regime in play and confirm the required addendum exists: HIPAA (BAA, 45 C.F.R. § 164.504(e)), GDPR (Art. 28 DPA + SCCs/DPF transfer mechanism), CCPA/CPRA ("service provider" terms, Civ. Code § 1798.140), PCI-DSS, GLBA, FERPA, FedRAMP, state privacy laws
  • Confirm the agreement is even enforceable as written — negotiated signature (yes) vs. a clickwrap order on top of online terms the vendor can change at will (structural problem)
  • Calibrate effort: maximum scrutiny for high-value and/or high-sensitivity deals; standard review for low-value, low-sensitivity tools

Where the software runs and where the data lives determines which provisions even matter. In SaaS, the contract is a service contract dressed in license language — uptime, data ownership, security, and exit dominate; the thin "right to access and use" grant barely matters. On-premise inverts it: the license grant, copy counts, maintenance, and audit/true-up dominate, and uptime SLAs are largely irrelevant. Regulated data drags a second contract (an addendum) into the deal, and its absence is itself a red flag — a cloud vendor handling PHI is almost always a business associate, not a mere "conduit." On enforceability, courts enforce clickwrap routinely (ProCD, Inc. v. Zeidenberg, 86 F.3d 1447 (7th Cir. 1996)) but refuse to enforce browsewrap the user never had reasonable notice of (Specht v. Netscape, 306 F.3d 17 (2d Cir. 2002); Nguyen v. Barnes & Noble, 763 F.3d 1171 (9th Cir. 2014)).

Phase 2 — The License Grant, Metric, and Audit

  • Map the grant's four questions against your real-world use: what may be done (access, copy, modify, derivative works), who may do it, where, and for what purpose
  • Check the affiliates row: define "Customer" to sweep in entities under common control, and add a transfer clause that expressly permits internal reorganizations
  • Check the contractors row: permit use by contractors acting on the customer's behalf and for its benefit
  • Pin down the license metric (named/concurrent users, seats, cores, instances, transactions, tier) precisely enough that both sides count the same way in two years; specify whether read-only and API access count
  • Translate each restriction (reverse engineering, decompilation, no sublicensing, no assignment, no service bureau, no benchmarking, no competitive use) into a concrete operational consequence and assign a negotiation priority
  • Flag the red flags: silent termination "subject to" provisions, vague purpose limits, unilateral-modification rights, license tied to specific hardware, ambiguous user counting, unclear treatment of test/staging/dev, missing backup/disaster-recovery rights
  • Review the audit clause: advance notice (≥30 days), limited frequency, scope limited to the licensed software, a self-certification option, overage priced at contract rates (NOT "then-current list price"), a cure period, and a carve-out so a good-faith usage dispute is not a material breach

The affiliates and contractors rows cause most post-signing pain. SQL Solutions, Inc. v. Oracle Corp., 1991 WL 626458 (N.D. Cal. 1991), held a licensee's corporate restructuring was a "transfer" violating the anti-assignment clause — even though the same people kept using the same software. The metric is where audits originate; an ambiguous "user" is an invitation to a true-up invoice and, where usage genuinely exceeds the grant, infringement exposure under the Adobe logic. The single most expensive audit default is overage priced at list; fix it to your contract rate. And insist that a good-faith dispute over usage is not, by itself, a material breach — otherwise the vendor can hold your mission-critical system hostage to a finding you reasonably contest. Reverse-engineering bars are usually fine but interact with fair-use interoperability law (Sega v. Accolade, 977 F.2d 1510 (9th Cir. 1992)) and a non-waivable EU decompilation right.

Phase 3 — SaaS Service Levels, Support, and On-Premise Continuity

  • Read the SLA's three parts together: the uptime commitment, the exclusions, and the remedy — a "99.9%" promise with unlimited vendor-defined "maintenance" excluded is not a 99.9% promise
  • Translate the uptime % into wall-clock downtime (99.9% ≈ 8.76 hrs/yr; 99.99% ≈ 52.6 min/yr) and confirm the measurement period and calculation method
  • Fight for a termination-for-chronic-failure right (e.g., miss in 3 consecutive months or 4 in a year) and ensure service credits are not the sole remedy for a material-breach outage
  • In support terms, distinguish a response commitment from a resolution commitment; fill in the severity matrix and flag every cell left as "commercially reasonable efforts"
  • For on-premise, confirm version-support duration, whether security patches are included or sold separately, and the end-of-life terms
  • For mission-critical on-premise software, negotiate source-code escrow with verified, current deposits and operational release triggers (failure to support, abandonment, repeated breach) — not bankruptcy alone

Vendors negotiate the headline uptime number while writing exclusions broad enough to swallow it. Service credits are almost always trivial relative to an outage; the right to leave is the leverage that disciplines a vendor. On escrow, a release condition triggered solely by the licensor's bankruptcy may be treated as an unenforceable ipso facto clause under Bankruptcy Code § 365(e)(1), and a one-time dump that no one updates breeds false comfort — tie release to a cluster of operational triggers and require verification testing.

Phase 4 — Data Rights, Security, Breach, and Exit

  • Confirm the customer owns Customer Data (including derived data) and the vendor acquires only a license to provide the service
  • Scrutinize the vendor's data license: no use for the vendor's other products, no use to train AI models (the 2026 flashpoint), no aggregation with competitor data, no sale or sharing; the license terminates with the agreement
  • Pin down "anonymized and aggregated" language — true de-identification, a contractual ban on re-identification, and an opt-out
  • Demand specific, auditable security: encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, MFA, and a SOC 2 Type II report (not Type I)
  • Review the breach clause: "without undue delay and in any event within 72 hours of discovery," and confirm breach-related costs are carved out of the liability cap
  • Secure exit rights before signing: export in a standard usable format (CSV/JSON/documented API), a 30–90 day post-termination access window, capped transition-assistance rates, and destruction certification

For any hosted solution, the data provisions are the contract. The "improve our services" clause is the hook vendors later cite for AI training; insist on an explicit, separate model-training provision rather than a buried definition. Type II beats Type I because it reflects testing of whether controls actually operated over months, not just a point-in-time description. If the cap swallows breach liability, a vendor whose negligence exposes a million records owes you, at most, a refund of last year's fees. Lock-in is the most underappreciated SaaS risk — negotiate exit while you still have leverage.

Phase 5 — IP, Open Source, Warranties, and Indemnification

  • Confirm IP ownership allocation (vendor owns the software; customer owns its data; no implied licenses) and address custom development ownership and feedback assignment (cap feedback to "voluntarily provided"; avoid joint ownership)
  • Require open-source assurances: SBOM on request, a warranty that OSS use imposes no copyleft on the customer, vendor responsibility for compliance, and indemnity covering OSS claims
  • Read express warranties and disclaimers together; confirm the core warranty (software performs materially per documentation) and keep a copy of the documentation as of signing
  • Confirm warranty disclaimers of merchantability and fitness are conspicuous (caps/bold) and resist letting non-infringement land on the disclaimer list
  • Review the IP indemnity: defense and indemnification obligations, scope (patent, copyright, trademark, trade secret, OSS), carve-outs tested by causation/fault, and remediation options where any termination refund is substantial, not nominal
  • Narrow the customer indemnity so the customer never indemnifies the vendor for the vendor's own handling of Customer Data

Open-source licenses are enforceable conditions on a copyright license; violating them is potential infringement, not mere breach (Jacobsen v. Katzer, 535 F.3d 1373 (Fed. Cir. 2008)) — so "it's just open source" is backwards. Under the UCC, disclaimers of merchantability and fitness must be conspicuous (§§ 2-316, 1-201(b)(10)); a plain-type disclaimer may not survive. The IP indemnity is one of the most valuable protections a customer can secure because it is a risk you cannot evaluate (you did not write the code) and the vendor can. The carve-outs are where vendors recover what the indemnity gives — each is fair only where the customer actually caused the problem.

Phase 6 — Limitation of Liability, Term, and Bankruptcy Continuity

  • Read the cap structure: amount, multiple of fees, period (trailing 12 months vs. total), and per-claim vs. aggregate
  • Confirm the consequential-damages exclusion and recognize it strips your most significant losses (lost profits, business interruption)
  • Negotiate the carve-outs that sit outside both the cap and the exclusion: IP-infringement indemnity, confidentiality, data-security breaches, gross negligence/willful misconduct, and payment obligations
  • Confirm the warranty's "repair or replace" remedy has a real cure obligation and a fallback so it cannot "fail of its essential purpose" (UCC § 2-719(2)); draft the damages exclusion as expressly independent
  • Review term, renewal (caps on increases, defined renewal pricing, a generous notice window before auto-renewal), and termination triggers and effects
  • Confirm the agreement acknowledges the customer's 11 U.S.C. § 365(n) rights, treats the escrow as a "supplementary agreement," and does not waive these protections

If you read only one provision, read the limitation of liability — it sets the maximum financial consequence to the vendor of breaking its promises, and therefore how seriously it takes them. The data-security carve-out, in particular, can be worth more than every price concession combined: with it, a breach may fall outside the cap entirely; without it, the identical breach is capped at twelve months' fees. UCC § 2-719(3) lets sophisticated commercial parties exclude consequential damages (not prima facie unconscionable for commercial loss), but § 2-719(2)'s "failure of essential purpose" is the safety valve when an "exclusive" repair remedy never actually fixes the defect. On bankruptcy, § 365(n) lets a licensee of patents, copyrights, or trade secrets retain its rights when a debtor-licensor's trustee rejects the license (overruling Lubrizol v. Richmond Metal Finishers, 756 F.2d 1043 (4th Cir. 1985)); for trademarks, Mission Product Holdings, Inc. v. Tempnology, LLC, 587 U.S. 370 (2019), reaches the same result. Make sure the agreement works with these protections rather than waiving them.

Common Mistakes

  • Negotiating price for weeks while rubber-stamping the liability architecture — a 10% discount is cold comfort against an uncapped breach the contract failed to carve out.
  • Letting an ambiguous license metric slide, then meeting it again as a six-figure audit true-up priced at list.
  • Accepting a grant narrower than your real deployment (no affiliates, no contractors) and discovering it as a breach during a reorganization or audit.
  • Treating "anonymized and aggregated" or "improve our services" as boilerplate, thereby licensing your data for the vendor's AI models.
  • Accepting a SOC 2 Type I, a "prompt" breach-notice window, or service credits as the sole outage remedy.
  • Leaving exit rights to negotiate after the relationship sours, when leverage is gone.
  • Letting the liability cap swallow data-security, confidentiality, and IP-indemnity obligations.

Primary Authority

  • License vs. sale / scope as infringement: Vernor v. Autodesk, Inc., 621 F.3d 1102 (9th Cir. 2010); Adobe Systems Inc. v. One Stop Micro, Inc., 84 F. Supp. 2d 1086 (N.D. Cal. 2000); first-sale doctrine, 17 U.S.C. § 109.
  • Covenant vs. condition: MDY Industries, LLC v. Blizzard Entertainment, Inc., 629 F.3d 928 (9th Cir. 2010).
  • Online contract formation: ProCD, Inc. v. Zeidenberg, 86 F.3d 1447 (7th Cir. 1996); Specht v. Netscape Communications Corp., 306 F.3d 17 (2d Cir. 2002); Nguyen v. Barnes & Noble, Inc., 763 F.3d 1171 (9th Cir. 2014).
  • Anti-assignment / restructuring: SQL Solutions, Inc. v. Oracle Corp., 1991 WL 626458 (N.D. Cal. 1991).
  • Reverse engineering / interoperability: Sega Enterprises Ltd. v. Accolade, Inc., 977 F.2d 1510 (9th Cir. 1992).
  • Open source as copyright condition: Jacobsen v. Katzer, 535 F.3d 1373 (Fed. Cir. 2008).
  • Warranties and remedies: UCC §§ 2-316 (conspicuous disclaimers), 2-719 (limited remedies; failure of essential purpose; consequential-damages exclusion).
  • Bankruptcy continuity: 11 U.S.C. §§ 101(35A), 365, 365(n); Lubrizol Enterprises v. Richmond Metal Finishers, 756 F.2d 1043 (4th Cir. 1985); Mission Product Holdings, Inc. v. Tempnology, LLC, 587 U.S. 370 (2019).
  • Data/regulatory: HIPAA, 45 C.F.R. Parts 160 and 164; GDPR Arts. 28, 33; CCPA/CPRA, Cal. Civ. Code § 1798.140. Verify current rates, deadlines, and certifications at the official sources.

Related Resources

This checklist is general information, not legal advice. Software licensing and technology-transaction law vary by jurisdiction and continue to evolve; the sample positions described are illustrative. Consult qualified counsel to review a specific agreement.