Expert Case Library

No commitment on where data is stored or processed. For Saudi customers under PDPL, UAE customers under PDPL/UAE Federal data protection law, or any GCC customer in regulated sectors (banking, healthcare, government, telecoms), data residency may be a legal requirement, not a preference. The clause as written gives the vendor unilateral discretion. *Confirm specific regulatory requirements with Legal — they vary by sector and jurisdiction.*

For mission-critical SaaS, a 30-day extract window is operationally impossible. The clause assumes the customer has alternative infrastructure ready on day 1 of termination — which is rare and unrealistic. There is no commitment to data format usability, no transition assistance, no documentation handover, and no obligation to support migration. This is a lock-in clause masquerading as a standard term.

A 12-month-fees cap is industry-standard for general claims, but it is materially inadequate when the SaaS holds personal data, financial data, or other sensitive customer data. A single breach can produce regulatory fines, third-party damages, customer notification costs, and reputational losses that vastly exceed annual fees. Procurement is buying risk transfer; this clause transfers very little of the breach risk back to the vendor.

Three traps combined in one clause: (1) auto-renewal for the *same length* as the initial term (could be 3 years); (2) a 90-day notice window that is easy to miss with no automated reminder; (3) repricing at "then-current list pricing" — wiping out the originally negotiated discount. Once the notice window passes, the customer is locked in for another full term at materially higher pricing.

No uptime commitment, no measurable SLA, no service credit mechanism. "Commercially reasonable efforts" is unenforceable in practice. The exclusions for "scheduled maintenance," "emergency maintenance," and "circumstances beyond reasonable control" can absorb most real downtime. The vendor has no financial incentive to invest in availability.

Sub-processor changes can introduce new data jurisdictions, new security postures, and new risk profiles — all without customer awareness or consent. The "list available at URL" model gives vendor full discretion; the customer's only signal is checking a URL periodically. Under most data protection regimes, the customer (as data controller) is responsible for due diligence on sub-processors. This clause defeats that responsibility.

Customizations developed *for* the customer at the customer's expense become Vendor IP. The customer cannot port these customizations to a successor system, cannot benefit from them outside the vendor's platform, and loses access entirely if the subscription ends. This is double-paying: paying for development *and* paying ongoing subscription to use what you paid to develop.

Vendor has broad termination flexibility; Customer has none. If vendor decides to exit the market, deprioritize the platform, or simply replace the customer with a higher-paying one, customer is given 30 days to migrate a critical platform. Meanwhile, customer is locked in for the full term. The asymmetry is commercially indefensible.

The indemnity sounds protective but is gutted by exclusions. "Open-source components" and "third-party software incorporated into the Service" describe most modern SaaS architectures. The combination exclusion ("combination with other products") covers virtually any real-world deployment, since SaaS is rarely used in isolation. Effectively, the customer is buying an indemnity for a fraction of the actual infringement risk.

The original deal was negotiated with a discount off list. The true-up clause reintroduces list pricing for incremental users. As organizations grow, true-up costs can rapidly exceed the negotiated baseline. The customer also has no opportunity to negotiate at the true-up point — invoices are issued unilaterally.

Three vague phrases — "applicable laws," "material incidents," "appropriate insurance" — provide no actual standard, no notification timing, no incident classification, and no specific insurance requirements. For FM contracts involving on-site workforce, equipment operation, and customer-facing environments, HSE incidents can include injuries, fatalities, property damage, regulatory exposure, and reputational damage. The current language gives the customer no early warning and no enforceable standard.

Mobilization in FM contracts (hiring, training, equipment, IT systems, uniforms, vehicles, security clearances) is a real cost. Putting it at "no additional cost" and "completed prior to Commencement Date" either compresses the vendor's margin (which they will recover elsewhere) or sets up failure on day one. There is no defined mobilization period, no defined milestones, no acceptance criteria, no transition plan.

A 95% aggregate SLA can hide catastrophic failure at individual sites. If 24 of 25 sites perform at 99% and 1 site performs at 60%, the aggregate is still ~97.4% — well above the threshold. The failing site experiences a major service problem but no service credit is triggered. This rewards the vendor for averaging up and penalizes the customer at the worst site, where it matters most.

Saudization (Nitaqat) requirements vary by sector, company size, and activity classification. *Specific Nitaqat tiers and percentages should be confirmed with Legal/HR based on the current regulatory framework — they are updated periodically.* A vague "comply with applicable laws" clause leaves the customer exposed if the vendor's Saudization status downgrades, which can affect the vendor's ability to obtain visas, renew work permits, and operate. The customer may also have its own Saudization profile affected by how it engages subcontractors.

For multi-year FM contracts with dedicated workforce (often 50–500+ people on site), simply ending the contract and removing the workforce creates two problems: (a) loss of institutional knowledge and continuity; (b) potential employment law issues if workers expect transfer to the incoming provider. The clause is silent on (a) and (b). The incoming provider faces a hiring race; the customer faces a service gap; the workforce faces uncertainty.

The clause sounds reasonable but contains a vendor-favorable trap: scope changes are mandatory ("Service Provider shall comply"), but price adjustment is conditional on agreement. In practice, this means vendors absorb minor changes (good for the customer) but the *threshold* for what counts as "material" is undefined. Vendors will fight every minor change as "material" to extract price increases, or — worse — they will defer the price negotiation, deliver the change, and bill at premium rates later through formal change orders. The structure also means scope can increase without commercial discipline.

A 5% cap on monthly service credits means the maximum financial consequence to the vendor for failing the entire SLA across all KPIs is 5% of the monthly fee. For a 100k monthly fee, that's 5k — well below the cost the vendor saves by under-resourcing. The cap turns SLA penalties into a budget line, not a deterrent. Worse, "sole and exclusive remedy" prevents Customer from pursuing termination, damages, or other consequences for repeated failures.

"Actual cost" sounds reasonable but is unverifiable without audit rights. Vendors can apply markups, rebates from suppliers (kept by vendor), and bundled costs that inflate "actual cost." Without a defined cost base, an audit right, or a markup limit, the pass-through becomes an open-ended revenue stream for the vendor. The customer has no leverage to challenge.

A 20% performance bond is high for FM (compared to typical 5–10% for service contracts). Larger bonds tie up vendor cash, which is recovered through higher service rates. The "callable on demand" with no procedural protection can be abused; banks often dispute these in practice. The "first-class bank" criterion may exclude regional banks, narrowing the vendor pool.

For FM scopes that include capital equipment (e.g., access control systems, security equipment, energy management systems, specialized cleaning equipment), the "equipment remains Service Provider's property" clause means the customer can lose access to operationally embedded equipment at contract end. If the customer paid for the equipment through monthly fees (which is typical, since the fees price in equipment amortization), they effectively pay for it twice — once during the contract, and again when they have to source replacement equipment at exit.

The classic consulting bait-and-switch. The bid was won by named senior partners and managers — usually the experts whose résumés persuaded the customer. The contract reserves the right to swap them out for junior staff with "equivalent skills." Customer ends up with a different team than they purchased, often at the same price. The "may not unreasonably refuse" phrase places the burden on Customer to justify rejection.

"Not limited to," "such other services," "reasonably required," "mutually agreed" — every clause designed to maximize ambiguity. There is no defined deliverable, no acceptance criteria, no measurable outcome. The customer cannot say what they are buying, and consequently cannot say when they have received it. Scope disputes are inevitable. Vendor will claim everything is in scope to extend engagement; customer will dispute and relationship deteriorates.

Open-ended T&M is the riskiest commercial structure for the customer. Without a Not-To-Exceed (NTE) cap, vendor has zero incentive to be efficient. "Summary invoices" hides detail; customers can't verify hours. Travel and expenses with no cap and no advance approval enables luxury choices at customer's expense. The customer has no budget control until invoices arrive.

Customer paid for the deliverables and receives only a restricted license. The "non-transferable" element prevents Customer from sharing deliverables with affiliates, group companies, advisors, or successor entities. Restrictions on modification mean Customer cannot update or evolve deliverables internally. The consultant retains the right to reuse customer-funded work for other clients. This is double-paying: customer funds development, consultant retains the asset.

NDA-style confidentiality with no requirement to return or destroy data at engagement end. Consultants accumulate sensitive customer data — financials, strategies, customer lists, IP — during engagements. Without a destruction obligation, this data sits in the consultant's systems indefinitely, exposed to the consultant's security incidents and to potential reuse for other clients. "Record-keeping purposes" is vague; "required by applicable law" is true for some categories (e.g., audit records) but not for most engagement data.

The clause acknowledges competitor work but provides no disclosure obligation, no firewall requirement, and no consent right. Consulting firms regularly work for competing clients in the same industry; without disclosure, the customer cannot know whether the consultants providing strategic advice are simultaneously advising competitors. "Appropriate professional standards" is unenforceable. Information flow risks — even unintentional — are real.

The clause is overbroad on three dimensions: (a) duration (24 months is long; 12 months is more standard); (b) coverage ("any employee, contractor, or representative" includes people Customer never met); (c) liquidated damages of 2x annual compensation is high. The clause restricts Customer's hiring freedom for people who happened to be at the consulting firm. If a great consultant later applies to Customer through normal recruitment, Customer is exposed. The clause is one-sided — consultant is not similarly restricted.

"Reasonable satisfaction" is unenforceable. Without objective acceptance criteria, deliverables either get rubber-stamped (customer accepts substandard work) or trigger endless dispute (customer can't articulate what's missing). "Commercially reasonable time" for feedback puts the customer at risk of "deemed acceptance" arguments if response is delayed. No process for revisions, no number of revision rounds, no remedy for non-acceptance.

"Reasonable" is undefined. Consultants typically book business class (sometimes first class for partners), 5-star hotels, premium meals — all "reasonable" by their internal policy but potentially well above Customer's own travel policy. No pre-approval requirement means Customer pays the bill after the fact, with limited ability to dispute. Travel expenses on long engagements can be 10–20% of total consulting fees.

Consultants often run their analysis through proprietary tools — diagnostic platforms, benchmarking models, simulation software, data analytics tools. These tools may ingest Customer's data and produce outputs that are then embedded into deliverables. The clause as written means: (a) Customer cannot use the tools after engagement end; (b) Customer cannot replicate the analysis; (c) Customer's data may have been processed in ways Customer cannot inspect; (d) the consultant retains the outputs even though they were generated from Customer's data. The tools become a black box that Customer pays to operate but cannot operate independently.