As an in-house lawyer I have negotiated and edited hundreds and hundreds of contracts. I was also a trial lawyer for years so I have some perspective on risk management and what happens when the worst case scenario becomes reality. Here are the best practices I can share with you from the field, expanding on this initial Twitter post on the subject. This guide is written from the perspective of an in-house lawyer, but should translate well even if you are not in that position.

Important caveat: This is not legal advice. These are general principles and may not apply in your situation! Always hire a lawyer to evaluate your specific case.

Before you do anything, ask follow up questions from whomever in the business sent the contract to you for review. There is a 70%+ chance there is more context and detail you are missing that you need beyond the “hey legal please review” email you got it in.

What context are you missing?

✅ prior negotiations / verbal promises (on either side)

✅ how the business person thinks this product works

✅ what the business person is hoping to use the product for

Create a checklist of major points you consistently want in your contracts, your preferred position on each, and run through it while redlining. Know where you can compromise on that list. It will give you flexibility in negotiating to give the other side an easy win that you can exchange for something you really want. How you examine the acceptability of each of these categories will of course depend on your client and the specific negotiation. But here are some general concepts to consider for each one…

If your business representative has not already asked for a discount from list price, figure out how to do so. I have almost never seen a vendor willing to lose a deal because the potential client asked for a discount. Be ambitious. Not uncommon to get 20-50%+ discounts off list prices (really!), particularly for vendors in "high growth" mode.

On sell side: There is more pressure to get to yes but don’t give up important protections to get there. Know the hard limits of your business folks and be clear about what cannot be done. Be creative: sometimes the business can offer perks that are ‘free’ but make the buyer feel special. You are going to want to have a very strong working relationship with your sales team / rep if you want to enjoy your days.

On buy side: remember you are the future client of this vendor. Ask for concessions on price or additional services and always compare to others in the market. But remember the human side of the relationship; continuity and high caliber service are valuable.

Crypto specific: some vendors will accept payment in crypto. This can be particularly valuable if your client has a large treasury of tokens of some kind. Note, however, that if your client created these tokens, for tax purposes they may be considered to have a cost basis of $0.00, or if acquired long ago, far less than current value. This can create significant tax burdens for the client, particularly if payment in tokens is not closely aligned to the actual value of services the client receives. Consulting tax counsel for significant payments will save you many hours of headache down the road.

Additionally, if payment will occur in crypto, think carefully about how those payments will be structured. Payment for a fixed number of tokens may be tempting for simplicity, but can create outsize windfalls and deficits on either the paying or receiving side.

Alternatively, dollarized payments in crypto will require a conversion formula of some kind. Be careful about how this is structured, particularly if you want your finance team not to hate you. Things that sound reasonable, e.g., "30-day trailing average as of three days before the payment is made" may sound workable in theory, but may create operational burdens on exactly when and in what amount the payment will be made that may not align with the capacity of your internal teams. Also, be specific about what reference point you use. Will it be a specific market data site? What happens if that site goes down? Who picks which site? Resolving these questions in advance is ideal.

This is really asking: who has the risk for things going above expected budget? Be really careful to put caps / approval requirements for anything billed hourly. For example, "$250 per hour, but with a max of 20 hours absent written consent of [client]."

In the fixed fee situation, make sure you have milestones set to specific portions of the payment set so that you don't end up in the situation where you have no results and the vendor comes to you wanting to renegotiate the price/terms/deadlines because of claimed cost overruns.

Crypto Specific: If your client is paying in crypto, consider whether to assign a minimum value to the crypto for purposes of the contract so that unexpected price volatility will not have an inordinate impact on a crypto treasury.

Always make sure you know who is getting paid and when, how long the contract lasts, and what the notice deadlines are for termination or renewal. Do they make sense? Often 30-days is sufficient, but a core piece of software to a business may justify three to six months or more notice.

Vendors love auto-renewal, sometimes clients do too. Without it, unaware clients can see services shut down unexpectedly. Clients with better tools probably don't want it. Forcing a re-negotiation of terms/prices usually works in the buying party's favor.

Consider carefully the conditions that allow termination without cause. On the buy-side, the client will typically want termination available upon simple notice and, ideally, the refund of any prepaid fees. On the sell side, the client will typically want specific notice provisions and no refund in fees, on the justification that the pricing model only works if there is predictability in revenue at least 12-24 months in advance—which allows additional investments in human and technical resources.

Crypto specific: Especially in a highly regulated / fast-changing industry, include a provision about modifying terms to comply with new legal requirements. Alternatively, allowing termination on either side if performance becomes impossible, or exponentially more expensive, is a good safeguard for both sides. But keep in mind that it is worth articulating what specifically will trigger this contractual out. Otherwise you may find a clause that was supposed to be a protection has turned into a battle.

Make sure you know who will be the point person for your client and the counterparty, and get them to commit to regular check-ins. You want it to actually be a relationship so pain points are easy to address regularly. It is very easy for clients and vendors to become unhappy when communication breaks down — either because a key point of contact has left one company, or because no one bothered to check in on the assumption "no news is good news."

Your key contacts should make it a point to discuss any SLAs, any pain points, and any plans to resolve them. This can avoid a situation where either side is surprised by a sudden termination of the contract.

Crypto specific: With an industry that prizes pseudonymity, make sure you are confident you have genuine contact information, both for the company and for the people within it you need to contact.

Should be an area of focus and will force you to deeply understand how the business is going to use this product. Make sure there are clear and measurable metrics. These categories are some of the most common:

• uptime

• deliverables

• reliability

• responsiveness

Uptime can be of critical importance, and there are meaningful differences between 99% and 99.999% uptime; using this reference during negotiations will help you keep things in perspective.

It is typical to negotiate for assurances that the vendor will meet their SLAs, which can be done either with a carrot or with a stick. The carrot method is to offer the vendor a bonus if they exceed the SLAs by a fixed bonus or some agreed upon percentage.

The stick method requires the vendor to offer some type of credit or refund when they miss SLAs, and if they keep missing them, to let the client out of the contract without any further obligation.

Example: "If vendor fails to satisfy the SLAs in any given month, client shall be entitled to a 10% credit towards the next invoice. If vendor fails to satisfy the SLAs in any three months in a rolling twelve-month period, client shall be entitled to terminate this contract without any further obligation."

Crypto specific: If payment occurred in crypto, do you want the crypto back (triggering tax questions), do you want credit for future work, or do you want a refund in fiat? Answering this question will depend on many other variables, but be clear on what your client will value most in the context of a particular contract.

Usually pretty boilerplate language here, but make sure it is mutual and covers the content you want it to cover, especially in niche situations. Sometimes these say they apply only if it is "marked confidential." Just no. Protections should apply based on 'reasonable expectations' of confidentiality. Otherwise you will find yourself in a situation where many documents are not stamped as confidential, and the confidentiality provision in the contract does not back you up.

Many times confidentiality agreements have time 2-3 year time limits, which are generally fine as long as obligations related to trade secrets remain intact indefinitely.

What kind of announcements/promotions can either party make about the deal? When? What happens when the relationship sours? Make sure to have revocation of consent clauses here, especially in the context of logo/brand usage.

Focus on System and Organization Controls (SOC) reports, especially for key vendors. Make sure you understand the vendor's operations enough to ensure their security matches your needs (dual controls, multiple authorizations, etc.)

Crypto specific: For vendors that are offering crypto custody services — or will otherwise be handling large amounts of crypto you send them — make sure you have a deep understanding of what kind of protocols the vendor uses for for its wallets, how it stores wallet keys, how it handles multi-signature practices, and what representations and assurances the vendor can give you on these points. For example, a vendor might say they use only multi-signature wallets with tight organizational controls, but if all three signing wallets (and their keys) are all stored in the same location, how secure is it really?

If you are unfamiliar with wallet security, this would be a great topic to brush up on.

For vendors storing sensitive information for you, ask if the vendor has a plan for disaster recovery, and if you can see it. This is the "what happens when your data center in New York falls into the ocean" question and is critical to making sure your data/services continue in worst case scenarios, particularly if you are using a smaller vendor to store highly sensitive information.

Crypto specific: To buttress any individual vendor's disaster recovery plans, you might explore the use of decentralized storage services like the Arweave or Interplanetary File System (IPFS).

Have clear lines about who owns created work product. For most consultants and professional services, you typically want a work made for hire — a technical term referencing U.S. copyright law that gives the person paying for the work full rights of ownership.

If you are not going to have full ownership rights for something you are paying someone else to create, be very careful in considering what rights you will have and what rights your client expects to have. What kind of derivatives can be made? Is permission needed to use it beyond internally?

Crypto specific: Although the industry often prides itself in making a lot of code open source, that is not the only type of intellectual property at issue. Pay particular attention to rights to trademarks, logos, and other brand-related materials. Often use of this type of IP is what authenticates a brand as genuine, and is misused to deceive victims into believing something is genuine. Be very mindful about how you permit this sort of IP to be used.

These can be very industry specific, and risk specific. Keep in mind that warranties can provide a different (and more expansive) claim than breach of contract. Most SaaS contracts will disclaim basically all warranties, but you can usually get concessions around the platform being free of viruses/malware.

Crypto specific: Particularly for contracts that are settled in crypto payments of some kind, it is standard practice to include disclaimers about the crypto's (usually uncertain, ambiguous, or unknown) status under a particular jurisdiction's law. This is a "take at your own risk" disclaimer that primarily protects the paying party.

This is often the least understood provision in contracts, and therefore the most overlooked. The basic premise of indemnity provisions is to determine who must pay if a third party sues one of the contracting parties. Vendors frequently include extremely broad indemnity requirements of their clients in their standard contracts.

In most circumstances, this practice should be heavily negotiated against. The paying party is hiring the vendor for their expertise and only has payment obligations. There is almost never a reason why the paying party in this instance should indemnify the vendor if the vendor gets sued by a third party for performing its job poorly.

One possible exception is where the paying party is providing intellectual property of some kind that the vendor will rely on. In this circumstance, a very limited indemnity provision covering only claims related to misuse of IP given to the vendor by the client may be appropriate.

Also, totally unlimited indemnity may be the default interpretation of the contract if no cap is placed on the indemnity. Consider including specific caps on indemnity in the liability limits section of the contract.

Crypto specific: Some contracts may contemplate indemnity against claims by regulators. Tread carefully here, as defending against such claims, without a limit, may be financially ruinous.

For critical vendors and larger contracts, ensuring your vendor has insurance coverage can protect you against significant downside risk, particularly in the context of business outages or security events. Make sure you set limits that tie to the most likely risks, with $1 million being a typical minimum for any category. (And if your vendor can't secure such a policy, ask yourself why.)

The three most common policies to pay attention to are:

• Commercial General Liability (CGL),

• Cybersecurity, and

• Errors & Omissions (E&O)

It is typical to ask for a certificate of insurance (COI) in these provisions which allows you to have certainty at regular intervals that the vendor actually has the insurance they say they are going to have in the contract.

Some vendors will agree to permit insurance to still be in play even where liability is otherwise capped (e.g., greater of insurance limits or $100k/payments over 12 months).

Both sides of course want to cap liability as much as possible, but standard contracts may provide a cap only for one side, which can provide asymmetric risk. Generally speaking, neither side should have uncapped damages even for worst case scenarios.

Exceptions to caps (or super-cap limits) for gross negligence, willful misconduct, or breaches of confidentiality are standard. Tying super caps to insurance limits can also be a helpful way to provide additional downside risk protection that many vendors will accept.

Ordinarily you will be more concerned with the absence of a clause like this than its presence. It provides an out for performance in the event an act of god prevents one side from performing. One point of negotiation is to exclude payment obligations from non-performance, particularly if you are on the sell-side of a contract, as "flood in my hometown" is often not a good excuse for "I shouldn't have to pay you for cloud hosting services."

Once standard, non-solicit and non-compete agreements now should be approached with sensitivity in light of the FTC's general ban on non-compete agreements. Non-solicit agreements between businesses who have a contractual relationship may be permissible if narrowly tailored.

Outside of restrictions on employees, you should also consider what restrictions you want particular vendors to have on serving other clients that may be similarly situated to your business. Would that kind of service potentially give your competitors an advantage? How much do you think you can actually rely on or enforce confidentiality obligations with this particular vendor?

Answering these questions may be more practical than legal in nature, but clients should be aware that having a remedy and getting it are two very different things.

Assignment is too often prohibited without the other party's consent with no exceptions. In high growth industries/turnover/acquisition industries like crypto, this can cause major headaches if there is an acquisition. Build in exceptions for when a company is totally acquired by a third party, as appropriate.

If the business has many clients, it will likely want single-venue arbitration to force everyone into the same venue and through an accelerated process in the event of a catastrophe (e.g., data breach). If you represent one of those clients, your client will want as much as possible to be in court because that maximizes settlement leverage in the event of a dispute.

Where any disputes will be decided, including in arbitration. Ordinarily, venue has nothing to do with the law that governs the agreement. Many people forget this and just say "disputes decided in San Francisco" without picking a law to govern the contract. Big mistake, particularly if crypto law issues arise — the states in many ways are taking the lead on crypto regulation in the absence of federal law. So, pick your law.

Hugely important. Make sure you know what laws you want to apply to your business, and why. Too often people are not able to articulate what they like about a particular law, which I assume means they want it because it's the one they know without much further consideration. Standard states for commercial law are:

• New York

• Delaware

• Florida

• California (disfavored, but common)

Crypto specific: Other states, like Wyoming, are attempting to cater more to crypto businesses, although its enactments provide more regulatory than contractual certainty. For commercial purposes, looking to the 21 states that have enacted the 2022 amendments to the Uniform Commercial Code that address (among other things) how security interests in digital assets can be perfected may be of more practical interest depending on the type of business your client is running.

This can be a huge economic incentive and tail that wags the dog in disputes if not addressed. Fee-shifting provisions (loser pays) are a good way to encourage people to settle and discourage frivolous claims. For example, generally people will only bring meritorious claims if they could be at risk of paying the other side's attorneys' fees. But if you're the defendant and your case is weaker, you have a strong incentive to figure out how to resolve the dispute — otherwise if you lose, you pay the winner's fees.

That said, where the parties are on relatively equal economic footing, agreeing to the so-called American rule of each side paying their own way may be an acceptable alternative.