MASTERING THE ART OF CONTRACTING EXCELLENCE: THE IN-HOUSE PLAYBOOK
Read time: 5 minutes
In-house counsel today isn’t just about reviewing contracts; it’s about managing risk in a tech-driven world where regulation struggles to keep pace. Every cloud deal, AI integration, or SaaS license can be a hidden vulnerability if the terms aren’t watertight. This is about building resilience into your tech stack. Here’s how to spot the pressure points and negotiate from a position of strength.
In-house counsel today isn’t just about reviewing contracts; it’s about managing risk in a tech-driven world where regulation struggles to keep pace. Every cloud deal, AI integration, or SaaS license can be a hidden vulnerability if the terms aren’t watertight. This is about building resilience into your tech stack. Here’s how to spot the pressure points and negotiate from a position of strength.
Key clauses to watch: IP, SLAs, indemnities, limitation of liability, security, and data privacy
Intellectual Property (IP)
Ensure clarity on ownership and licensing, especially for custom developments or AI-generated outputs. Watch for supplier-friendly clauses that grant broad rights to use customer data or deliverables for purposes other than providing the services or benefiting other clients. Collaborate with your tech and data teams to assess IP risks tied to integrations, model training, and outputs.
Service Level Agreements (SLAs)
SLAs should reflect business criticality. Push for measurable commitments such as uptime, response times, regular reporting, and meaningful remedies. Consider escalation paths and termination rights for persistent failures. Align SLA terms with internal continuity planning and vendor management processes.
Indemnities
Vendors often limit indemnities to third-party claims. Push for broader coverage, including direct losses, especially indemnities for IP infringement, data breaches, and regulatory noncompliance. Some vendors may even agree to indemnify for breaches of contract or negligence, particularly when subject to a reasonable liability cap.
Security and data privacy
For vendors with access to IT systems or personal data, require robust security commitments and audit rights. Look for independent certifications (i.e., SOC 2, ISO 27001) and ensure data privacy terms align with applicable laws such as GDPR or CCPA.
Intellectual Property (IP)
Ensure clarity on ownership and licensing, especially for custom developments or AI-generated outputs. Watch for supplier-friendly clauses that grant broad rights to use customer data or deliverables for purposes other than providing the services or benefiting other clients. Collaborate with your tech and data teams to assess IP risks tied to integrations, model training, and outputs.
Service Level Agreements (SLAs)
SLAs should reflect business criticality. Push for measurable commitments such as uptime, response times, regular reporting, and meaningful remedies. Consider escalation paths and termination rights for persistent failures. Align SLA terms with internal continuity planning and vendor management processes.
Indemnities
Vendors often limit indemnities to third-party claims. Push for broader coverage, including direct losses, especially indemnities for IP infringement, data breaches, and regulatory noncompliance. Some vendors may even agree to indemnify for breaches of contract or negligence, particularly when subject to a reasonable liability cap.
Security and data privacy
For vendors with access to IT systems or personal data, require robust security commitments and audit rights. Look for independent certifications (i.e., SOC 2, ISO 27001) and ensure data privacy terms align with applicable laws such as GDPR or CCPA.
Managing supplier-customer power imbalances
Large tech vendors often hold the cards when negotiating, but you can still play smart:
Prioritize high-risk areas
Don’t try to renegotiate every clause. Focus on data rights, liability, and termination provisions.
Use internal leverage
Highlight strategic value, longevity commitment, regulatory obligations, or reputational risks to justify exceptions to standard terms.
Embed governance
Include joint steering committees, audit rights, and periodic reviews to maintain influence post-signature.
Assess extended vendor dependencies
Identify “fourth-party” risks where your supplier relies on additional providers, such as LLM developers or cloud infrastructure. Require disclosure of such dependencies and flow down of key contractual protections, including confidentiality, security, and compliance obligations.
Prioritize high-risk areas
Don’t try to renegotiate every clause. Focus on data rights, liability, and termination provisions.
Use internal leverage
Highlight strategic value, longevity commitment, regulatory obligations, or reputational risks to justify exceptions to standard terms.
Embed governance
Include joint steering committees, audit rights, and periodic reviews to maintain influence post-signature.
Assess extended vendor dependencies
Identify “fourth-party” risks where your supplier relies on additional providers, such as LLM developers or cloud infrastructure. Require disclosure of such dependencies and flow down of key contractual protections, including confidentiality, security, and compliance obligations.
AI-specific contracting considerations
AI isn’t just a buzzword; it’s a compliance minefield. Here’s what to lock down:
Data usage
Define how your and your customers’ data can be used, especially for training models. Restrict sensitive or proprietary data unless explicitly permitted. Consider data residency, anonymization, and/or encryption requirements.
Model training & IP ownership
Clarify whether improvements made using your data benefit your organization or the supplier’s broader offering. Consider co-ownership or licensing models for trained outputs.
Explainability and accountability
As AI decisions impact compliance and fairness, request transparency commitments. While full algorithmic disclosure may be unrealistic, suppliers should provide audit logs, decision rationales, and compliance with AI governance frameworks.
Bias, fairness, and compliance
AI systems can inadvertently introduce bias or violate regulatory standards (i.e., GDPR, EU AI Act, and US federal and state AI, privacy, and consumer protection laws). Contracts should include obligations for suppliers to test and mitigate bias, document fairness metrics, and comply with applicable laws. Consider audit rights or third-party assessments to verify compliance, especially in high-risk use cases like recruitment, credit scoring, or healthcare.
AI impact assessments
Conduct robust AI impact assessments before onboarding any AI solution and update them regularly as regulations evolve. Treat these assessments as a precondition for approval and ongoing monitoring.
Contract terms and transparency
Review all vendor terms, including online or hyperlinked conditions, as they may change unilaterally and contain hidden risks. The market remains fragmented: indemnities, liability caps, and warranties vary widely, requiring close review and documentation.
Data usage
Define how your and your customers’ data can be used, especially for training models. Restrict sensitive or proprietary data unless explicitly permitted. Consider data residency, anonymization, and/or encryption requirements.
Model training & IP ownership
Clarify whether improvements made using your data benefit your organization or the supplier’s broader offering. Consider co-ownership or licensing models for trained outputs.
Explainability and accountability
As AI decisions impact compliance and fairness, request transparency commitments. While full algorithmic disclosure may be unrealistic, suppliers should provide audit logs, decision rationales, and compliance with AI governance frameworks.
Bias, fairness, and compliance
AI systems can inadvertently introduce bias or violate regulatory standards (i.e., GDPR, EU AI Act, and US federal and state AI, privacy, and consumer protection laws). Contracts should include obligations for suppliers to test and mitigate bias, document fairness metrics, and comply with applicable laws. Consider audit rights or third-party assessments to verify compliance, especially in high-risk use cases like recruitment, credit scoring, or healthcare.
AI impact assessments
Conduct robust AI impact assessments before onboarding any AI solution and update them regularly as regulations evolve. Treat these assessments as a precondition for approval and ongoing monitoring.
Contract terms and transparency
Review all vendor terms, including online or hyperlinked conditions, as they may change unilaterally and contain hidden risks. The market remains fragmented: indemnities, liability caps, and warranties vary widely, requiring close review and documentation.
Key takeaways
Technology contracting is a strategic function, not a box-ticking exercise. By focusing on critical clauses, managing vendor dynamics, and adapting to emerging technologies such as AI, legal teams can help their organizations innovate safely and sustainably. Collaboration across legal, procurement, and technical teams ensures contracts aren’t just legally sound, they’re operationally resilient.
Key takeaways
Technology contracting is a strategic function, not a box-ticking exercise. By focusing on critical clauses, managing vendor dynamics, and adapting to emerging technologies such as AI, legal teams can help their organizations innovate safely and sustainably. Collaboration across legal, procurement, and technical teams ensures contracts aren’t just legally sound, they’re operationally resilient.
Authors
Related articles
Previous page
Next page
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Connect with us:
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Connect with us: