Skip to main content
Pillar Guide · 2026 Edition

Enterprise Software Contract Red Flags — 30 Clauses to Never Accept

Every major vendor's default contract contains 10-15 clauses designed to maximise vendor leverage. Here are the 30 we redline on every engagement.

✓ NO SAVE, NO PAY — 25% gainshare only
Table of contents
  1. Why standard contracts contain these clauses
  2. Category 1 — Audit clauses (7 red flags)
  3. Category 2 — Price & renewal clauses (5 red flags)
  4. Category 3 — Term & termination clauses (6 red flags)
  5. Category 4 — Liability & indemnity (5 red flags)
  6. Category 5 — Compliance & definitions (4 red flags)
  7. Category 6 — Data & security (3 red flags)
  8. The redlining process

Why standard contracts contain these clauses

Vendor contract boilerplate evolved over decades to optimise for vendor outcomes at every possible edge case. The contract you receive is the vendor's starting position; it's never the only accepted position.

Our vendor-specific services redline every one of these categories.

Category 1 — Audit clauses (7 red flags)

Uncapped audit frequency. No buyer-paid-by-vendor cap on findings below 5%. On-site vs remote audit choice given to vendor. 'Reasonable' scope language. No obligation to disclose audit tool. No cure period. Vendor-paid findings threshold.

See audit defence service.

Category 2 — Price & renewal clauses (5 red flags)

Uncapped annual price increase. 'Then-current list price' at renewal. No back-year price hold. Auto-renewal with >60-day notice. No cross-product discount commitment.

Category 3 — Term & termination clauses (6 red flags)

Asymmetric termination (vendor can, buyer can't). No termination-for-convenience. Data deletion on termination (you need export rights). Immediate payment acceleration. No partial termination on unused SKUs. Material breach standard skewed against buyer.

Category 4 — Liability & indemnity (5 red flags)

Liability capped at fees paid in prior 12 months. No carve-out for confidentiality breach. No third-party IP indemnification. Mutual indemnity at different caps. Consequential damages exclusion without carve-outs.

Category 5 — Compliance & definitions (4 red flags)

'User' defined broadly to include test/dev accounts. 'Processor' counts without virtualisation clarifications. No carve-out for disaster-recovery instances. Indirect-access clauses triggering double-billing.

Category 6 — Data & security (3 red flags)

No sub-processor change notification. Data-export format unspecified. Deletion timeline >30 days post-termination.

The redlining process

Every contract needs an initial redline pass by a negotiator who knows vendor-side boilerplate. Legal handles the legal process; our specialists handle the commercial-architecture redlines.

Free estimate.

Frequently asked questions

Will vendors actually accept these redlines?

Many yes, some no. Oracle accepts ~50% of standard buyer redlines. Microsoft accepts ~70%. SAP accepts ~60%. AWS EDPs accept ~40%. Knowing which redlines are worth the fight is vendor-specific experience.

How much negotiation time does redlining add?

Adds 3-5 weeks to a typical renewal. Worth it — good redlines compound over every future interaction with the vendor.

What if our standard MSA already has terms that conflict with these redlines?

Vendor contracts almost always override MSA boilerplate. Every net-new contract needs fresh redlines.

Related reading

Ready to apply this to a real contract?

30-minute free estimate. We review your specific renewal or audit and tell you whether we think the savings are worth pursuing — no commitment either way.

Get Free Estimate How It Works