MSAs in the Digital Age: Adapting Agreements for Remote Work and Technology Services

Jul 11, 2025 | Business Law

The advantage of using a Master Service Agreement (MSA) for long-term business relationships is that you can invest the time and effort in creating it once, and then you can use it as a template for multiple digital services contracts in the future. The standard provisions in an MSA can often remain unchanged for a fair amount of time. Sometimes, though, there’s a fundamental shift in the way that business is conducted. When that happens, MSAs have to evolve to keep up.

The way that services get delivered is one such shift, and it’s happening rapidly. Services are now commonly delivered via the cloud. Teams of service providers often work remotely. Employees may be in different locations and in more than one state or country. Using outdated MSAs that don’t address the issues raised by these changes may increase legal risks or slow business operations. 

At the same time, MSAs often appear in the context of engaging with a new customer.  If the MSA is “over-loaded” or heavy-handed, it can interfere with the process of onboarding a new customer.  An MSA should not read like a wish list of provisions.  Heavily one-sided, the MSA forms introduced to a new customer are likely to bring that new customer’s lawyer.

When to Use AI

AI engines like ChatGPT are masters at generating boilerplate.  And, they speak with a tone of authority.  Amid the many responses that lawyers have to the use of AI, and putting aside the topic of AI hallucination, we note that AI engines are not attuned to what you are doing at a fundamental level, which is making a deal.  

The MSA establishes the parameters of your deal with a third party.   The first draft of the MSA is usually delivered after the initial selection process has concluded and the parties are moving to the next stage of hammering out the relationship.  An MSA that is overblown with every chunk of boilerplate that an AI engine can generate projects, at a minimum, is thoughtless or an institutional thin ear.  It may come across as something scarier than that – overreaching and unreasonableness (a nice word for “unfair” or even “sneaky”).  To some potential customers, it may look like too much work to get through.  The customer questions whether you are a good fit and moves on.  We intend to discuss this topic at greater length in a follow-up article. 

A different problem with AI-generated forms is that you can  find yourself in a “battle of the forms.”  For example, letters and emails among the parties may refer to the work product, made-for-hire, belonging to the customer, while the MSA refers to all work product as retained by the service provider and licensed to the customer.  Inconsistent provisions as to ownership of intellectual property are not unusual.   The problem is exacerbated when parties use AI-generated forms without understanding how they would be read “under fire.”  Standard intellectual property provisions in MSAs are another topic we intend to cover at greater length in a follow-up article.

Finally, there is substance, and often nuance, to the boilerplate provisions in an MSA.  For example, the venue provision of an MSA typically appears at the end of the MSA (when everyone is tired or reading).  The venue provision looks harmless.  It specifies which courts can hear a lawsuit among the parties if litigation occurs. No one wants to think about that.  The possibility seems remote.  But the choice of venue can be very material to a party in the future if they are considering litigation.  In other words, it’s not just an administrative point.  But, to an AI engine, there are no real-world dynamics to the provision.  The AI engine is searching for patterns in its training data to make this decision.  That is not helpful.  Again, we intend to address this topic – specifically, venue provisions – in a future article

Finally, a thoughtful MSA, versus a heavy-handed collection of provisions, makes an impression.  The MSA conveys a message about how easy or difficult it will be to work with the company providing it.  For example;

  • Is the company that provided the MSA so internally focused that the MSA appears to create mindless work for the other party?  
  • Does the MSA impose compliance standards that realistically (to both sides) will not be met?  
  • Does the MSA impose so many burdens, or is it so complicated, that it comes across as an effort to wear down the other party?  
  • Does the MSA contain provisions that render the other party in default on day one?  
  • Does the provider of the MSA stand pat on points raised, saying “we always do it this way” or do those changes have to be run by “legal”?

In practice, we see these issues all the time.  There is no “one-size-fits-all” approach to resolving them.  But we do get them resolved.     

 

How Remote Work Is Reshaping Service Delivery

Census data shows that, in 2019, before the COVID-19 pandemic, approximately 9 million people in the U.S. worked from home. Four years later, despite a dip from the 2021 high, that number had more than doubled to 22 million. That’s part of a global trend. The World Economic Forum projects that the number of jobs that can be done remotely will increase by another 25% by the year 2030.

With the rise of virtual workforces and off-site service teams come new challenges in confidentiality, supervision, and compliance.

  • When people collaborate online, there’s a greater risk of data breaches or leaks. Do you already have policies and guidelines within your organization that should be carried through in the MSA? 
  • Traditional methods of supervision need to be adapted to a virtual workforce. 
  • When virtual teams have workers from different jurisdictions, that may complicate regulatory compliance. 

Addressing these issues in an MSA helps ensure consistency and predictability across different projects.  

 

Core Changes in Digital-Age MSAs

Cybersecurity risks increase when employees access company data from home or other remote locations. This creates extra challenges in complying with cybersecurity standards, data protection laws, and industry regulations. 

Putting provisions in an MSA to address these challenges will help. If your organization utilizes encryption standards, access controls, or procedures to respond to data breaches, consistency with these internal policies should be a key component of the MSA.  

Cybersecurity will not work unless it carries through to all parties accessing your systems.  However, asking a customer to install software or hardware or change their email system to match a higher level of security may be a deal killer.  It also may make routine tasks unduly burdensome.

 

Compliance Considerations for IT and SaaS Companies

Modern Master Services Agreements should include provisions for compliance with legal frameworks that require specific ways to handle data, such as:

  • The American Institute of Certified Public Accountants’ SOC 2
  • The information security standard ISO 27001
  • HIPAA, for covered entities and their business associates

IT compliance agreements play a crucial role in third-party risk management, ensuring that subcontractors adhere to the same data protection standards as the vendor. They contribute to audit readiness. 

 

Key Clauses to Revisit or Add

Modern Master Services Agreements should include clear expectations about security standards, data protection, and confidentiality. These should help both the vendor and the customer understand their roles and responsibilities in keeping data secure.

Clauses to revisit or add include:

  • What devices and internet connections remote workers can use to access company data – whether they can use their personal devices and home WiFi, or whether they must use company-supplied devices and separate internet connections
  • If they use their personal devices, what security frameworks should be in place
  • Protocols for encryption, firewalls, and VPNs, if needed
  • Which collaboration tools (Zoom, Teams, etc.) are allowed
  • Compliance with applicable data privacy laws, cybersecurity standards, and industry regulations.  In particular, if a hack involves the personal data of individuals, who will be responsible for sending notices and notifying law enforcement, and which jurisdictions (Federal, state, and foreign) are implicated 
  • How access to sensitive systems and data will be restricted to authorized users
  • What happens in the event of non-compliance with data security laws, regulations, or standards
  • Whether one party may audit the other’s security compliance
  • How disputes involving multiple jurisdictions will be handled
  • Vulnerability assessments

 

Conclusion

In the digital age, MSAs must do more than outline deliverables. They must clarify the specific terms of the relationship, protect data, anticipate risks, prevent or discourage disputes, and ensure compliance. 

In putting together an all-purpose MSA, consideration must be given to whether customers will reasonably be able to respond to the MSA and how they will react to the MSA, given their size, the cost of review and compliance, and the size of the contract.     

The information provided in this blog entry does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available in this blog entry is for general informational purposes only. Information in this blog entry may not constitute the most up-to-date legal or other information. Reading or using the information in this blog entry does not create an attorney-client relationship with Kavinoky Cook LLP.