Managed Services Agreement
What Is a Managed Services Agreement?
A Managed Services Agreement in the United States defines the scope of work, fees and deliverables governing the provider's services to the client.
The Managed Services Agreement is governed by general US contract law — the Restatement (Second) of Contracts and Article 2A of the Uniform Commercial Code (UCC) where applicable to software and service elements — and by the specific federal and state regulatory frameworks applicable to the data the MSP accesses on behalf of its clients. Because MSPs typically have broad access to client systems, networks, and sensitive data, compliance with data privacy and security law is a defining legal feature of the MSA.
For healthcare organization clients, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 C.F.R. Parts 160 and 164, requires that any business associate — including an MSP that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity — execute a HIPAA Business Associate Agreement (BAA) meeting the requirements of 45 C.F.R. § 164.504(e). The BAA is typically incorporated into or attached to the Managed Services Agreement. An MSP that accesses PHI without an executed BAA exposes both itself and its healthcare client to HIPAA civil money penalties under 42 U.S.C. § 1320d-5, which range from $100 to $50,000 per violation (up to $1.9 million per violation category per year).
For clients subject to the Payment Card Industry Data Security Standard (PCI-DSS) — merchants and service providers that store, process, or transmit cardholder data — the MSP must comply with PCI-DSS requirements applicable to service providers under the PCI Security Standards Council's requirements, and the MSA should incorporate the client's and MSP's respective PCI-DSS responsibilities.
The California Consumer Privacy Act (CCPA), Cal. Civ. Code §§ 1798.100–1798.199.100, as amended by the California Privacy Rights Act (CPRA), and other state privacy laws including the Virginia Consumer Data Protection Act (VCDPA), Va. Code Ann. §§ 59.1-571 et seq., the Colorado Privacy Act (CoPA), C.R.S. § 6-1-1301 et seq., and the Texas Data Privacy and Security Act (TDPSA), Tex. Bus. & Com. Code §§ 541.001 et seq., impose obligations on MSPs acting as 'service providers,' 'processors,' or 'contractors' when processing personal data on behalf of their clients. The Managed Services Agreement must include a Data Processing Agreement (DPA) or data processing addendum specifying the nature and purpose of processing, the data subject categories, and the security measures the MSP will implement.
When Do You Need a Managed Services Agreement?
A US Managed Services Agreement is needed whenever a business, nonprofit organization, healthcare system, financial institution, or government agency engages a managed service provider (MSP) to assume ongoing, proactive management of IT infrastructure, cybersecurity, cloud services, network operations, or other critical operational functions rather than handling those functions with in-house staff.
Small and medium-sized businesses (SMBs) — defined by the Small Business Administration (SBA) as companies with fewer than 500 employees — are the primary market for managed IT services in the United States. According to industry research by CompTIA and Gartner, the US managed services market exceeds $100 billion annually, driven by SMBs that lack the internal resources to hire full IT departments. Law firms, dental and medical practices, accounting firms, real estate brokerages, and retail businesses use Managed Services Agreements with regional MSPs to outsource their IT helpdesk, endpoint management, Microsoft 365 administration, backup and disaster recovery, and cybersecurity functions.
Healthcare organizations — hospitals, physician groups, health systems, dental service organizations (DSOs), and behavioral health providers — use Managed Services Agreements with healthcare IT MSPs such as Netsmart Technologies, Azalea Health, and regional managed security service providers (MSSPs) to manage their electronic health record (EHR) systems, medical device networks, HIPAA-compliant data backup, and cybersecurity monitoring. Every such agreement must include a HIPAA Business Associate Agreement (BAA) as required by 45 C.F.R. § 164.504(e).
Financial services firms — registered investment advisers, broker-dealers registered with FINRA, insurance companies, and community banks — use Managed Services Agreements to outsource IT functions while maintaining compliance with SEC Regulation S-P (17 C.F.R. § 248.30), which requires financial institutions to implement safeguards to protect customer records and information, and the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (16 C.F.R. Part 314), which imposes specific cybersecurity program requirements.
Government contractors and federal agencies use Managed Services Agreements that incorporate compliance with the Federal Acquisition Regulation (FAR), DFARS cybersecurity clauses (252.204-7012), NIST SP 800-171 Controlled Unclassified Information (CUI) protection requirements, and FedRAMP cloud authorization requirements for cloud service providers.
Managed Security Service Providers (MSSPs) — companies that provide 24/7 Security Operations Center (SOC) monitoring, SIEM (Security Information and Event Management) services, endpoint detection and response (EDR), and threat intelligence — use specialized Managed Security Services Agreements that define incident response obligations, SLA response times for security events, and the MSP's notification obligations under state data breach notification laws such as California Civil Code § 1798.29, New York General Business Law § 899-aa, and the requirements of all 50 state breach notification statutes.
What to Include in Your Managed Services Agreement
A legally effective US Managed Services Agreement must contain the following essential provisions to define the service scope, establish performance standards, allocate security and data processing responsibilities, and provide enforceable remedies for service failures.
The service scope definition — often documented in a Service Schedule or Exhibit A attached to the MSA — must precisely identify all systems, devices, users, and service categories covered by the agreement. The scope should list: covered devices (servers, workstations, laptops, network switches, firewalls, storage systems) by type and quantity; covered software platforms (Microsoft 365 tenants, Google Workspace, specific line-of-business applications); covered service categories (helpdesk support, patch management, backup monitoring, network monitoring, cybersecurity); business locations covered; and any systems or services expressly excluded from managed services scope. Ambiguity in scope is the most common source of MSP-client disputes, and a detailed scope schedule prevents arguments about whether a particular service or system is included in the monthly fee.
The Service Level Agreement (SLA) must specify measurable performance standards including: response time commitments by incident severity level (P1 critical — 15-minute response; P2 high — 2-hour response; P3 medium — 4-hour response; P4 low — next business day response); resolution time targets for each severity level; uptime guarantees for managed servers and infrastructure; monitoring frequency; and monthly reporting requirements. The SLA must define what constitutes a service credit when SLA targets are missed, the maximum credit per month, and the exclusions from SLA measurement (third-party outages, client-caused incidents, scheduled maintenance windows, and force majeure events).
The data security and privacy clause must specify: the MSP's obligation to implement and maintain information security controls appropriate to the sensitivity of the client's data; the minimum security standards the MSP must meet (SOC 2 Type II compliance, ISO 27001 certification, or equivalent); access control requirements (role-based access, multi-factor authentication, privileged access management); the prohibition on the MSP using client data for any purpose other than delivering contracted services; the MSP's data breach notification obligation — including the timeframe (24 to 72 hours after discovery of a confirmed breach is standard) and the information to be included in the notification; and the MSP's cooperation obligations in the event of a regulatory investigation or data breach response.
The HIPAA Business Associate Agreement (BAA) addendum must be incorporated or attached for any client that qualifies as a HIPAA covered entity or business associate. The BAA must satisfy the requirements of 45 C.F.R. § 164.504(e), including provisions on the MSP's permitted uses and disclosures of PHI, the MSP's obligation to implement HIPAA Security Rule safeguards, the MSP's obligation to report breaches of unsecured PHI under 45 C.F.R. § 164.410, and the obligations upon termination of the BAA.
The fee structure and billing clause must specify: the monthly managed services fee; the billing cycle and payment due date; the procedure for adding or removing covered devices or users and the resulting fee adjustment; the separate hourly rate or project fee structure for out-of-scope work; annual escalation terms; and the consequences of late payment including interest and suspension of services.
The limitation of liability clause must address the MSP's aggregate liability cap (typically limited to 3 to 12 months of fees paid), the mutual exclusion of consequential and indirect damages, and the carve-outs from the cap for gross negligence, willful misconduct, breaches of data security obligations, and HIPAA BAA violations. The MSP's required insurance coverage — commercial general liability, professional liability/errors and omissions, cyber liability, and workers' compensation — should be specified as a condition of the agreement, with minimum coverage amounts.
The termination and transition clause must specify each party's termination rights (for cause after cure period, for convenience on 30 to 90 days' notice), the MSP's transition assistance obligations upon termination (continuing services through the transition, providing documentation and credentials to the incoming provider), and whether any early termination fee applies for convenience terminations within an initial contract term.
Sources & Citations
Statutory citations link to official government sources. Last verified by Forms Legal Editorial Team.
Frequently Asked Questions
A managed services agreement (MSA) is a contract under which a managed service provider (MSP) assumes ongoing responsibility for a defined set of IT or operational functions on behalf of a client, typically for a fixed recurring monthly fee. This is fundamentally different from a traditional time-and-materials IT services contract, where the client engages a vendor to perform specific tasks as needed and pays for actual hours worked. Under a managed services model, the MSP takes proactive, continuous responsibility for the client's covered systems — monitoring, maintaining, patching, and supporting them on an ongoing basis — rather than responding reactively when problems arise. Common examples of managed services include: managed IT support and helpdesk; managed network and infrastructure; managed cybersecurity (SOC/SIEM services, endpoint protection); managed cloud services; managed backup and disaster recovery; and managed communications (VoIP, Microsoft 365 administration). The fixed monthly fee model aligns the MSP's incentives with preventing problems (since fewer incidents mean less work), rather than being paid more for remediation work. The MSA should clearly define which systems and services are within scope, the service levels the MSP must maintain, escalation procedures, how out-of-scope work is handled, and the client's responsibilities for cooperation and access.
A service level agreement (SLA) is the section of an MSA that defines the measurable performance standards the MSP must achieve. A well-drafted SLA should include: Response time commitments — the time within which the MSP will acknowledge receipt of a support ticket and begin working on it, typically tiered by severity (for example, critical issues affecting the entire network: 15-minute response; high-priority issues affecting a single user's ability to work: 4-hour response; low-priority questions: next business day). Resolution time commitments — the time within which the MSP commits to resolving or providing a workaround for different categories of issues. Uptime guarantees — for systems the MSP manages and is responsible for, a minimum availability percentage (for example, 99.5% monthly uptime for managed servers). Monitoring standards — the frequency and scope of proactive monitoring and the metrics the MSP will track and report. Reporting obligations — monthly or quarterly service reports showing performance against SLA metrics. Remedies for SLA failures — service credits or fee reductions when SLA targets are missed. The SLA should also clearly define what is excluded from SLA coverage: incidents caused by the client's actions, third-party outages, scheduled maintenance windows, and force majeure events should not count against the MSP's SLA performance.
Because MSPs typically have broad access to client systems, networks, and data — often including sensitive personal information, financial records, and confidential business data — data security and compliance provisions in an MSA are critically important. The agreement should address: Access controls — the MSP's obligation to implement role-based access controls, multi-factor authentication, and the principle of least privilege when accessing client systems. Data handling — restrictions on how the MSP may use, access, store, or disclose client data, and a prohibition on using client data for any purpose other than delivering the contracted services. Incident notification — the MSP's obligation to notify the client promptly (often within 24 to 72 hours) of any actual or suspected security incident, data breach, or unauthorized access to client systems. Compliance obligations — if the client is subject to industry-specific regulations (HIPAA for healthcare, PCI-DSS for payment card processing, SOX for public companies, CCPA/CPRA for California businesses), the MSP should agree to handle regulated data in compliance with applicable requirements and to sign any required Business Associate Agreement (BAA) or Data Processing Agreement (DPA). Business continuity — the MSP's obligations for backup, recovery, and disaster recovery in the event of a ransomware attack, hardware failure, or natural disaster. Security audits — the client's right to audit the MSP's security practices, or to require the MSP to provide SOC 2 Type II reports or equivalent third-party assessments.
Managed service providers use several fee structures, each with different risk profiles and incentive alignment. The per-device or per-seat model charges a fixed monthly fee for each device (desktop, laptop, server, network switch) or user seat covered by the managed services. This model is simple and predictable for both parties and is common for IT helpdesk and endpoint management services. The all-inclusive or flat-fee model charges a single monthly fee for all services covered in the MSA, regardless of the number of incidents or devices. This model maximizes predictability for the client and incentivizes the MSP to invest in proactive maintenance to reduce incident volume. The tiered or à la carte model offers different service packages (bronze, silver, gold) at different price points, allowing clients to choose the level of coverage that fits their needs and budget. The hybrid model combines a base monthly fee for standard services with additional charges for out-of-scope work, after-hours support, or significant projects. The MSA should clearly define what is included in the monthly fee, what constitutes out-of-scope work that will be billed separately (usually at a separate hourly or project rate), how the fee changes if the client adds devices or seats during the term, and the process for annual price adjustments.
Liability limitation clauses are among the most negotiated provisions in managed services agreements because MSPs have access to critical systems and their failures can cause significant business disruption. MSPs typically insist on liability caps and limitation-of-liability clauses to manage their financial exposure. Common MSP liability provisions include: Aggregate liability cap — limiting the MSP's total liability for all claims arising from the agreement to the fees paid in the preceding 3 to 12 months. Mutual limitation of consequential damages — excluding both parties' liability for indirect, incidental, special, or consequential damages (lost profits, business interruption, data loss beyond direct recovery costs), even if advised of the possibility. This exclusion is critical for MSPs because a single outage could, in theory, cost the client millions in lost revenue that far exceeds the monthly MSP fee. Carve-outs from liability limits — most negotiated agreements carve out certain claims from the liability cap, including claims arising from the MSP's gross negligence or willful misconduct, data breaches caused by the MSP's failure to implement required security controls, and indemnification obligations for third-party intellectual property claims. Clients — particularly those in regulated industries where data breaches carry statutory penalties — should negotiate for higher liability caps, stronger carve-outs, and requirements that the MSP maintain errors and omissions (E&O) and cyber liability insurance with adequate limits.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Service Contract
Hiring someone for a project or offering your services to a client? A service contract keeps everyone on the same page about what's being done, when it's due, and how much it costs. It covers the scope of work, timeline, payment terms, revision policies, confidentiality obligations, and what happens if either party wants to walk away. Whether you're a freelancer, small business owner, or corporate manager, this template helps you avoid the most common disputes—scope creep, late payments, and unclear expectations. Covers termination clauses, liability limits, intellectual property ownership, and dispute resolution. Free PDF and Word—generate in minutes, no account needed.
Independent Contractor Agreement
Hiring a freelance designer, a marketing consultant, or a software developer? An Independent Contractor Agreement makes clear they're not an employee — and that matters for taxes, liability, and IP ownership. It lays out the deliverables, payment terms, deadlines, and who owns the finished work. Our template includes clauses for confidentiality, non-solicitation, termination, and dispute resolution. Enter the details, preview your document in real time, and download a clean PDF or Word file — free, no account required.
Management Agreement
Formalize an executive or operational management arrangement with this US Management Agreement defining the manager's authority, compensation, duties, performance expectations, and termination terms.