Managed Services Agreement
MANAGED SERVICES AGREEMENT
This Managed Services Agreement (the "Agreement") is entered into as of [Effective Date], by and between:
[MSP Name], located at [MSP Address] (the "Provider"); and
[Client Name], located at [Client Address] (the "Client").
1. SCOPE OF SERVICES
1.1 Included Services. Provider shall deliver the following managed services (the "Services"): [Services Included].
1.2 Covered Devices. The Services cover the following devices and systems: [Covered Devices].
1.3 Excluded Services. The following are expressly excluded from the Services and will be billed separately at the out-of-scope rate: [Services Excluded].
1.4 Client Responsibilities. Client shall provide Provider with timely access to covered systems, accurate asset information, and a designated point of contact. Client shall not make material changes to covered systems without notifying Provider in advance.
2. SERVICE LEVEL AGREEMENT
2.1 Critical Issue Response. For critical issues (network outage, server failure, ransomware): [Critical Response Time] response time from ticket receipt.
2.2 Standard Issue Response. For standard issues (single-user issues, non-critical requests): [Standard Response Time] response time from ticket receipt.
2.3 Uptime Guarantee. [Uptime Guarantee]. SLA commitments do not apply to outages caused by Client actions, third-party services, force majeure events, or scheduled maintenance windows.
2.4 Reporting. Provider shall deliver monthly service reports showing performance against SLA metrics, incident summaries, and system health status.
3. FEES AND BILLING
3.1 Monthly Fee. Client shall pay Provider [Monthly Fee] for the Services, invoiced [Billing Day].
3.2 Out-of-Scope Work. Work outside the included Services shall be billed at [Out Of Scope Rate]. Provider will obtain Client's approval for estimated out-of-scope costs exceeding $500 before proceeding.
3.3 Late Payment. Invoices not paid within 30 days of the due date shall accrue interest at 1.5% per month. Provider may suspend Services after 15 days' written notice of non-payment.
3.4 Annual Adjustment. Provider may adjust the monthly fee annually upon 60 days' written notice, not to exceed a 5% increase per year.
4. DATA SECURITY AND COMPLIANCE
4.1 Applicable Regulation. The Parties acknowledge that Client's data may be subject to: [Data Regulation]. Provider shall implement and maintain reasonable security controls appropriate to this regulatory context.
4.2 Security Incident Notification. [Breach Notification]
4.3 Data Use. Provider may access Client's data only as necessary to deliver the Services. Provider shall not use Client's data for any other purpose, sell it to third parties, or disclose it without Client's written consent.
4.4 Access Controls. Provider shall implement multi-factor authentication and role-based access controls for all personnel with access to Client's systems.
5. TERM AND TERMINATION
5.1 Initial Term. This Agreement shall have an initial term of [Initial Term] from the Effective Date, automatically renewing for successive one-year terms unless either Party provides [Termination Notice] of non-renewal.
5.2 Termination for Cause. Either Party may terminate this Agreement immediately upon written notice if the other Party materially breaches this Agreement and fails to cure within 30 days of notice.
5.3 Early Termination Fee. If Client terminates during the initial term without cause, Client shall pay an early termination fee of [Early Termination Fee].
5.4 Transition Assistance. Upon termination, Provider shall provide reasonable transition assistance and return all Client data within 30 days.
6. LIMITATION OF LIABILITY
6.1 Liability Cap. [Liability Cap]
6.2 Consequential Damages. Neither Party shall be liable for indirect, incidental, special, or consequential damages, including lost profits or business interruption, even if advised of their possibility.
6.3 Insurance. Provider shall maintain commercial general liability insurance of at least $1,000,000 per occurrence, cyber liability insurance of at least $1,000,000, and errors and omissions insurance of at least $1,000,000.
7. GENERAL PROVISIONS
7.1 Governing Law. This Agreement is governed by the laws of the State of [Governing State].
7.2 Independent Contractor. Provider is an independent contractor and not an employee or partner of Client.
7.3 Confidentiality. Each Party shall keep the other's confidential information strictly confidential and use it only to perform obligations under this Agreement.
7.4 Entire Agreement. This Agreement, together with any attached Exhibits, constitutes the entire agreement between the Parties.
7.5 Amendment. Modifications must be in writing and signed by both Parties.
IN WITNESS WHEREOF, the Parties have executed this Managed Services Agreement as of the Effective Date.
PROVIDER:
Signature: _______________________________ Date: _______________
Printed Name: [MSP Name]
CLIENT:
Signature: _______________________________ Date: _______________
Printed Name: [Client Name]
Provider (MSP)
________________
Signature
Client
________________
Signature
What Is a Managed Services Agreement?
A Managed Services Agreement in the United States defines the scope of work, fees and deliverables governing the provider's services to the client.
The Managed Services Agreement is governed by general US contract law — the Restatement (Second) of Contracts and Article 2A of the Uniform Commercial Code (UCC) where applicable to software and service elements — and by the specific federal and state regulatory frameworks applicable to the data the MSP accesses on behalf of its clients. Because MSPs typically have broad access to client systems, networks, and sensitive data, compliance with data privacy and security law is a defining legal feature of the MSA.
For healthcare organization clients, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 C.F.R. Parts 160 and 164, requires that any business associate — including an MSP that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity — execute a HIPAA Business Associate Agreement (BAA) meeting the requirements of 45 C.F.R. § 164.504(e). The BAA is typically incorporated into or attached to the Managed Services Agreement. An MSP that accesses PHI without an executed BAA exposes both itself and its healthcare client to HIPAA civil money penalties under 42 U.S.C. § 1320d-5, which range from $100 to $50,000 per violation (up to $1.9 million per violation category per year).
For clients subject to the Payment Card Industry Data Security Standard (PCI-DSS) — merchants and service providers that store, process, or transmit cardholder data — the MSP must comply with PCI-DSS requirements applicable to service providers under the PCI Security Standards Council's requirements, and the MSA should incorporate the client's and MSP's respective PCI-DSS responsibilities.
The California Consumer Privacy Act (CCPA), Cal. Civ. Code §§ 1798.100–1798.199.100, as amended by the California Privacy Rights Act (CPRA), and other state privacy laws including the Virginia Consumer Data Protection Act (VCDPA), Va. Code Ann. §§ 59.1-571 et seq., the Colorado Privacy Act (CoPA), C.R.S. § 6-1-1301 et seq., and the Texas Data Privacy and Security Act (TDPSA), Tex. Bus. & Com. Code §§ 541.001 et seq., impose obligations on MSPs acting as 'service providers,' 'processors,' or 'contractors' when processing personal data on behalf of their clients. The Managed Services Agreement must include a Data Processing Agreement (DPA) or data processing addendum specifying the nature and purpose of processing, the data subject categories, and the security measures the MSP will implement.
When Do You Need a Managed Services Agreement?
A US Managed Services Agreement is needed whenever a business, nonprofit organization, healthcare system, financial institution, or government agency engages a managed service provider (MSP) to assume ongoing, proactive management of IT infrastructure, cybersecurity, cloud services, network operations, or other critical operational functions rather than handling those functions with in-house staff.
Small and medium-sized businesses (SMBs) — defined by the Small Business Administration (SBA) as companies with fewer than 500 employees — are the primary market for managed IT services in the United States. According to industry research by CompTIA and Gartner, the US managed services market exceeds $100 billion annually, driven by SMBs that lack the internal resources to hire full IT departments. Law firms, dental and medical practices, accounting firms, real estate brokerages, and retail businesses use Managed Services Agreements with regional MSPs to outsource their IT helpdesk, endpoint management, Microsoft 365 administration, backup and disaster recovery, and cybersecurity functions.
Healthcare organizations — hospitals, physician groups, health systems, dental service organizations (DSOs), and behavioral health providers — use Managed Services Agreements with healthcare IT MSPs such as Netsmart Technologies, Azalea Health, and regional managed security service providers (MSSPs) to manage their electronic health record (EHR) systems, medical device networks, HIPAA-compliant data backup, and cybersecurity monitoring. Every such agreement must include a HIPAA Business Associate Agreement (BAA) as required by 45 C.F.R. § 164.504(e).
Financial services firms — registered investment advisers, broker-dealers registered with FINRA, insurance companies, and community banks — use Managed Services Agreements to outsource IT functions while maintaining compliance with SEC Regulation S-P (17 C.F.R. § 248.30), which requires financial institutions to implement safeguards to protect customer records and information, and the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (16 C.F.R. Part 314), which imposes specific cybersecurity program requirements.
Government contractors and federal agencies use Managed Services Agreements that incorporate compliance with the Federal Acquisition Regulation (FAR), DFARS cybersecurity clauses (252.204-7012), NIST SP 800-171 Controlled Unclassified Information (CUI) protection requirements, and FedRAMP cloud authorization requirements for cloud service providers.
Managed Security Service Providers (MSSPs) — companies that provide 24/7 Security Operations Center (SOC) monitoring, SIEM (Security Information and Event Management) services, endpoint detection and response (EDR), and threat intelligence — use specialized Managed Security Services Agreements that define incident response obligations, SLA response times for security events, and the MSP's notification obligations under state data breach notification laws such as California Civil Code § 1798.29, New York General Business Law § 899-aa, and the requirements of all 50 state breach notification statutes.
What to Include in Your Managed Services Agreement
A legally effective US Managed Services Agreement must contain the following essential provisions to define the service scope, establish performance standards, allocate security and data processing responsibilities, and provide enforceable remedies for service failures.
The service scope definition — often documented in a Service Schedule or Exhibit A attached to the MSA — must precisely identify all systems, devices, users, and service categories covered by the agreement. The scope should list: covered devices (servers, workstations, laptops, network switches, firewalls, storage systems) by type and quantity; covered software platforms (Microsoft 365 tenants, Google Workspace, specific line-of-business applications); covered service categories (helpdesk support, patch management, backup monitoring, network monitoring, cybersecurity); business locations covered; and any systems or services expressly excluded from managed services scope. Ambiguity in scope is the most common source of MSP-client disputes, and a detailed scope schedule prevents arguments about whether a particular service or system is included in the monthly fee.
The Service Level Agreement (SLA) must specify measurable performance standards including: response time commitments by incident severity level (P1 critical — 15-minute response; P2 high — 2-hour response; P3 medium — 4-hour response; P4 low — next business day response); resolution time targets for each severity level; uptime guarantees for managed servers and infrastructure; monitoring frequency; and monthly reporting requirements. The SLA must define what constitutes a service credit when SLA targets are missed, the maximum credit per month, and the exclusions from SLA measurement (third-party outages, client-caused incidents, scheduled maintenance windows, and force majeure events).
The data security and privacy clause must specify: the MSP's obligation to implement and maintain information security controls appropriate to the sensitivity of the client's data; the minimum security standards the MSP must meet (SOC 2 Type II compliance, ISO 27001 certification, or equivalent); access control requirements (role-based access, multi-factor authentication, privileged access management); the prohibition on the MSP using client data for any purpose other than delivering contracted services; the MSP's data breach notification obligation — including the timeframe (24 to 72 hours after discovery of a confirmed breach is standard) and the information to be included in the notification; and the MSP's cooperation obligations in the event of a regulatory investigation or data breach response.
The HIPAA Business Associate Agreement (BAA) addendum must be incorporated or attached for any client that qualifies as a HIPAA covered entity or business associate. The BAA must satisfy the requirements of 45 C.F.R. § 164.504(e), including provisions on the MSP's permitted uses and disclosures of PHI, the MSP's obligation to implement HIPAA Security Rule safeguards, the MSP's obligation to report breaches of unsecured PHI under 45 C.F.R. § 164.410, and the obligations upon termination of the BAA.
The fee structure and billing clause must specify: the monthly managed services fee; the billing cycle and payment due date; the procedure for adding or removing covered devices or users and the resulting fee adjustment; the separate hourly rate or project fee structure for out-of-scope work; annual escalation terms; and the consequences of late payment including interest and suspension of services.
The limitation of liability clause must address the MSP's aggregate liability cap (typically limited to 3 to 12 months of fees paid), the mutual exclusion of consequential and indirect damages, and the carve-outs from the cap for gross negligence, willful misconduct, breaches of data security obligations, and HIPAA BAA violations. The MSP's required insurance coverage — commercial general liability, professional liability/errors and omissions, cyber liability, and workers' compensation — should be specified as a condition of the agreement, with minimum coverage amounts.
The termination and transition clause must specify each party's termination rights (for cause after cure period, for convenience on 30 to 90 days' notice), the MSP's transition assistance obligations upon termination (continuing services through the transition, providing documentation and credentials to the incoming provider), and whether any early termination fee applies for convenience terminations within an initial contract term.
Sources & Citations
Statutory citations link to official government sources.
- 42 U.S.C. § 1320dUS – Cornell LII
- 45 C.F.R. § 164.504US – eCFR
- 17 C.F.R. § 248.30US – eCFR
- 45 C.F.R. § 164.410US – eCFR
- Health Insurance Portability and Accountability Act of 1996US – Cornell LII
- HIPAAUS – Cornell LII
- California Consumer Privacy ActCA (US) official
- Cal. Civ. Code §§ 1798.100CA (US) official
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Managed Services Agreement (United States) [Legal document template]. Forms Legal. https://forms-legal.com/usa/business/contracts/managed-services-agreement
"Managed Services Agreement (United States)." Forms Legal, 2026, https://forms-legal.com/usa/business/contracts/managed-services-agreement.
@misc{formslegal-managed-services-agreement,
author = {{Forms Legal}},
title = {Managed Services Agreement (United States)},
year = {2026},
howpublished = {\url{https://forms-legal.com/usa/business/contracts/managed-services-agreement}},
note = {Free legal document template. Based on Uniform Commercial Code (UCC)}
}Frequently Asked Questions
A managed services agreement (MSA) is a contract under which a managed service provider (MSP) assumes ongoing responsibility for a defined set of IT or operational functions on behalf of a client, typically for a fixed recurring monthly fee. This is fundamentally different from a traditional time-and-materials IT services contract, where the client engages a vendor to perform specific tasks as needed and pays for actual hours worked. Under a managed services model, the MSP takes proactive, continuous responsibility for the client's covered systems — monitoring, maintaining, patching, and supporting them on an ongoing basis — rather than responding reactively when problems arise. Common examples of managed services include: managed IT support and helpdesk; managed network and infrastructure; managed cybersecurity (SOC/SIEM services, endpoint protection); managed cloud services; managed backup and disaster recovery; and managed communications (VoIP, Microsoft 365 administration). The fixed monthly fee model aligns the MSP's incentives with preventing problems (since fewer incidents mean less work), rather than being paid more for remediation work. The MSA should clearly define which systems and services are within scope, the service levels the MSP must maintain, escalation procedures, how out-of-scope work is handled, and the client's responsibilities for cooperation and access.
A service level agreement (SLA) is the section of an MSA that defines the measurable performance standards the MSP must achieve. A well-drafted SLA should include: Response time commitments — the time within which the MSP will acknowledge receipt of a support ticket and begin working on it, typically tiered by severity (for example, critical issues affecting the entire network: 15-minute response; high-priority issues affecting a single user's ability to work: 4-hour response; low-priority questions: next business day). Resolution time commitments — the time within which the MSP commits to resolving or providing a workaround for different categories of issues. Uptime guarantees — for systems the MSP manages and is responsible for, a minimum availability percentage (for example, 99.5% monthly uptime for managed servers). Monitoring standards — the frequency and scope of proactive monitoring and the metrics the MSP will track and report. Reporting obligations — monthly or quarterly service reports showing performance against SLA metrics. Remedies for SLA failures — service credits or fee reductions when SLA targets are missed. The SLA should also clearly define what is excluded from SLA coverage: incidents caused by the client's actions, third-party outages, scheduled maintenance windows, and force majeure events should not count against the MSP's SLA performance.
Because MSPs typically have broad access to client systems, networks, and data — often including sensitive personal information, financial records, and confidential business data — data security and compliance provisions in an MSA are critically important. The agreement should address: Access controls — the MSP's obligation to implement role-based access controls, multi-factor authentication, and the principle of least privilege when accessing client systems. Data handling — restrictions on how the MSP may use, access, store, or disclose client data, and a prohibition on using client data for any purpose other than delivering the contracted services. Incident notification — the MSP's obligation to notify the client promptly (often within 24 to 72 hours) of any actual or suspected security incident, data breach, or unauthorized access to client systems. Compliance obligations — if the client is subject to industry-specific regulations (HIPAA for healthcare, PCI-DSS for payment card processing, SOX for public companies, CCPA/CPRA for California businesses), the MSP should agree to handle regulated data in compliance with applicable requirements and to sign any required Business Associate Agreement (BAA) or Data Processing Agreement (DPA). Business continuity — the MSP's obligations for backup, recovery, and disaster recovery in the event of a ransomware attack, hardware failure, or natural disaster. Security audits — the client's right to audit the MSP's security practices, or to require the MSP to provide SOC 2 Type II reports or equivalent third-party assessments.
Managed service providers use several fee structures, each with different risk profiles and incentive alignment. The per-device or per-seat model charges a fixed monthly fee for each device (desktop, laptop, server, network switch) or user seat covered by the managed services. This model is simple and predictable for both parties and is common for IT helpdesk and endpoint management services. The all-inclusive or flat-fee model charges a single monthly fee for all services covered in the MSA, regardless of the number of incidents or devices. This model maximizes predictability for the client and incentivizes the MSP to invest in proactive maintenance to reduce incident volume. The tiered or à la carte model offers different service packages (bronze, silver, gold) at different price points, allowing clients to choose the level of coverage that fits their needs and budget. The hybrid model combines a base monthly fee for standard services with additional charges for out-of-scope work, after-hours support, or significant projects. The MSA should clearly define what is included in the monthly fee, what constitutes out-of-scope work that will be billed separately (usually at a separate hourly or project rate), how the fee changes if the client adds devices or seats during the term, and the process for annual price adjustments.
Liability limitation clauses are among the most negotiated provisions in managed services agreements because MSPs have access to critical systems and their failures can cause significant business disruption. MSPs typically insist on liability caps and limitation-of-liability clauses to manage their financial exposure. Common MSP liability provisions include: Aggregate liability cap — limiting the MSP's total liability for all claims arising from the agreement to the fees paid in the preceding 3 to 12 months. Mutual limitation of consequential damages — excluding both parties' liability for indirect, incidental, special, or consequential damages (lost profits, business interruption, data loss beyond direct recovery costs), even if advised of the possibility. This exclusion is critical for MSPs because a single outage could, in theory, cost the client millions in lost revenue that far exceeds the monthly MSP fee. Carve-outs from liability limits — most negotiated agreements carve out certain claims from the liability cap, including claims arising from the MSP's gross negligence or willful misconduct, data breaches caused by the MSP's failure to implement required security controls, and indemnification obligations for third-party intellectual property claims. Clients — particularly those in regulated industries where data breaches carry statutory penalties — should negotiate for higher liability caps, stronger carve-outs, and requirements that the MSP maintain errors and omissions (E&O) and cyber liability insurance with adequate limits.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Service Contract
Hiring someone for a project or offering your services to a client? A service contract keeps everyone on the same page about what's being done, when it's due, and how much it costs. It covers the scope of work, timeline, payment terms, revision policies, confidentiality obligations, and what happens if either party wants to walk away. Whether you're a freelancer, small business owner, or corporate manager, this template helps you avoid the most common disputes—scope creep, late payments, and unclear expectations. Covers termination clauses, liability limits, intellectual property ownership, and dispute resolution. Free PDF and Word—generate in minutes, no account needed.
Independent Contractor Agreement
Hiring a freelance designer, a marketing consultant, or a software developer? An Independent Contractor Agreement makes clear they're not an employee — and that matters for taxes, liability, and IP ownership. It lays out the deliverables, payment terms, deadlines, and who owns the finished work. Our template includes clauses for confidentiality, non-solicitation, termination, and dispute resolution. Enter the details, preview your document in real time, and download a clean PDF or Word file — free, no account required.
Management Agreement
Formalize an executive or operational management arrangement with this US Management Agreement defining the manager's authority, compensation, duties, performance expectations, and termination terms.