An order form is a deal-specific exhibit — seats, price, term, SLA tier. A Master Subscription Agreement is the governance framework those deal terms snap into. Confusing the two, or treating one as a substitute for the other, is the fastest way to lose an enterprise customer mid-negotiation.
Series A founders often discover this the hard way: a Fortune 500 procurement team returns a 47-page redline on what you thought was a two-page order form. The redline touches indemnity caps, data-processing obligations, and audit rights your order form never mentioned — because those belong in the MSA. If you do not have a properly drafted MSA in place before that conversation, you are improvising governance live with your largest prospect watching.
What each document actually does
The MSA sets the permanent rules of the relationship: intellectual property ownership, liability caps, confidentiality obligations, acceptable use, governing law, and dispute resolution. These terms are negotiated once, then reused across every deal you sign with that customer — whether the initial contract covers five seats or five thousand.
The order form is the per-deal addendum. A well-structured order form captures the commercial variables: subscription tier, number of licensed users, annual contract value, payment schedule, effective date, auto-renewal notice period, and any SLA tier that differs from the MSA default. The order form cannot stand alone, because it assumes the MSA's definitions, limitation-of-liability clause, and termination rights already exist somewhere.
Together, they form a two-document stack that lets you close deals faster. Once the MSA is negotiated and signed, subsequent order forms are often approved by procurement without another full legal review.
The structural problem with "all-in-one" click-wrap agreements
Many early-stage SaaS companies start with a single terms-of-service document that combines subscription terms, acceptable use, privacy disclosures, and payment conditions into one wall of text. That works for self-serve PLG motion where customers never speak to a human. It breaks down the moment an enterprise buyer's legal team gets involved.
Enterprise procurement teams expect a separable MSA because their standard operating procedure is to review and redline the governance document once, then pass order forms straight to a business unit approver. If your "MSA" is buried inside a combined terms page, they will either ask you to extract it — costing you weeks — or they will send their own paper, which means you are signing their standard contract instead of yours. Signing on customer paper is almost always disadvantageous to the vendor.
The Uniform Commercial Code (UCC) Article 2 applies to goods, not software-as-a-service, but many courts have applied UCC gap-filling principles to SaaS contracts by analogy. More directly relevant is the common law of contracts: offer, acceptance, and consideration must be clear for each order form transaction, which means your MSA must define what the order form incorporates by reference and how conflicts between the two documents are resolved. A well-drafted MSA includes an express order of precedence clause — typically providing that order form terms control over conflicting MSA terms for that deal.
What belongs in the order form and what belongs in the MSA
Order form deal terms:
- Subscription start and end date
- Number of seats or usage units licensed
- Pricing, discount applied (if any), and billing frequency
- SLA tier — for example, 99.9% uptime versus the MSA's base 99.5% commitment
- Customer-specific data residency requirement (U.S. only, EU only)
- Professional services scope if bundled
- Auto-renewal opt-out notice period (often 30 or 60 days before renewal date)
MSA governance terms:
- Intellectual property ownership and license grant
- Limitation of liability — typically capped at fees paid in the prior 12 months, with carve-outs for data breaches and IP indemnity
- Indemnification obligations (IP infringement, gross negligence, data breach)
- Confidentiality and return-of-data obligations on termination
- Acceptable use policy and suspension rights
- Governing law and venue — usually Delaware for the vendor, unless the customer insists on their home state
- Dispute resolution — litigation, arbitration (AAA or JAMS), and any mandatory pre-suit notice period
If your order form contains governance terms — or your MSA contains deal-specific pricing — you have a structural problem that will slow every negotiation.
The SLA tier issue: why order forms need more precision than you think
SLA tiers are one of the most frequently mishandled elements in SaaS contracts. A vendor's standard MSA may promise 99.5% monthly uptime with a credit of 10% of monthly fees for any month below that threshold. An enterprise customer may require 99.9% uptime with a 25% credit and the right to terminate if three consecutive months fall short.
Those enterprise-specific SLA terms belong in the order form as an exhibit or addendum — not in the MSA, because not every customer gets the same tier. If you hard-code the 99.9% standard into your MSA, you are contractually offering it to every customer who signs, whether or not they are paying for that tier.
A clean approach: define SLA tiers (Standard, Professional, Enterprise) in the MSA as named exhibits, then have the order form specify which exhibit applies to that customer. Customers at the Standard tier get Exhibit A; enterprise customers negotiating 99.9% get Exhibit C. This keeps your MSA accurate for all customers while giving enterprise buyers the specificity they need.
Data processing agreements and the MSA stack
If you sell to customers who are subject to GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, or any state privacy law that treats SaaS vendors as "service providers" or "processors," a Data Processing Agreement (DPA) is a mandatory third document in the stack.
The DPA defines your role as a processor acting on the customer's documented instructions, specifies subprocessor lists and notification obligations, and includes the standard contractual clauses required for EU-to-US data transfers. The DPA is not part of the order form and not part of the MSA proper — it attaches to the MSA as a separate exhibit, because its obligations are regulatory, not commercial.
Failing to have a signed DPA before processing EU personal data on behalf of a customer is a violation of GDPR Article 28, which requires that processing be governed by a binding agreement with specific mandatory content. U.S. companies selling into Europe cannot treat the DPA as optional paperwork.
Redline discipline: what enterprise buyers actually push on
When a Series A company faces its first enterprise redline, the negotiation typically clusters around five issues:
Liability cap. Buyers want uncapped liability for data breaches. Vendors want the cap to apply universally. The market compromise is a separate, higher cap (often 2× annual contract value) for breaches involving personal data, with the standard 1× cap for other claims.
IP indemnity. The buyer wants indemnification if your software infringes a third party's patent or copyright. This is a standard obligation for SaaS vendors — refuse it and you will lose enterprise deals.
Audit rights. Enterprise buyers, especially in financial services or healthcare, may demand the right to audit your security controls. Consider offering a SOC 2 Type II report in lieu of direct audit, which is the common negotiated outcome.
Auto-renewal. Buyers routinely push the auto-renewal notice period from 30 days to 60 or 90 days. Budget cycles at large companies require long lead times. This is usually worth conceding.
Termination for convenience. Some enterprise buyers want the right to terminate with 30 or 60 days notice without cause. For annual contracts with upfront payment, push back or require payment of the remaining term.
Practical structure for a Series A company
At the Series A stage, you need at minimum: a standard MSA reviewed by SaaS-experienced counsel, a clean order form template with a clear incorporation-by-reference clause, and a DPA if you touch personal data. The SaaS agreement template at forms-legal.com provides a starting framework you can adapt before counsel review.
Keep the MSA as close to standard as possible for as long as possible. Every carve-out negotiated for one customer creates a precedent the next enterprise buyer will expect. Maintain a "fallback" positions document — internal notes on which terms you can move on and which you cannot — so your sales team does not over-commit during commercial conversations before legal is in the room.
The order form should never be longer than two to three pages for a standard deal. If commercial terms are spilling past that, something that belongs in the MSA has migrated into the order form, or you are building a custom arrangement that warrants a separate statement of work rather than an order form addendum.
The document stack in practice
A clean enterprise deal closes on four documents: the MSA (negotiated once), the order form (per deal, short), the DPA (regulatory, attached to MSA), and any applicable SLA exhibit referenced in the order form. Each document has a defined scope. None of them substitutes for the others.
Founders who understand this structure before the first enterprise negotiation move faster, lose fewer deals to legal delays, and keep control of their paper. Founders who discover it during the negotiation learn an expensive lesson — usually measured in months of delay or a contract signed on the customer's far less favorable terms.
Need the document itself? Download the free template →
This article is general information, not legal advice — see our accuracy & editorial policy. Confirm the cited law is current before relying on it.