What is a Managed Services Agreement (MSA)
A Managed Services Agreement (MSA) is a contract that governs an ongoing relationship between a service provider and client, where the provider assumes responsibility for operating, managing, or maintaining the client's systems or business processes on a continuous basis. Unlike a one-time project contract, an MSA focuses on delivering ongoing services over an extended period.
In Israel's technology ecosystem, MSA contracts are particularly common in cloud infrastructure management, cybersecurity services, technical support, data center management, and software system maintenance. Many companies prefer to transfer these functions to specialized providers rather than expanding their internal teams.
The fundamental difference between an MSA and a regular services contract lies in its unique characteristics: defined responsibility for outcomes (outcome-based), clear performance metrics (KPIs), guaranteed service availability (SLA), and a pricing mechanism based on service scope or consumption.
The legal framework for MSA contracts in Israel falls under the Contracts (General Part) Law, 5733-1973, and the Sale Law, 5728-1968 (where the contract includes sale of software components or equipment), as well as general contract law principles.
Contract Structure and Key Components
An effective MSA contract comprises several core components, each contributing to legal and operational clarity. The proper structure prevents misunderstandings and reduces the risk of disputes.
Service Description and Scope
The first and most critical component is a detailed and precise description of the services. Avoid general descriptions like "IT services" or "ongoing maintenance" and specify the exact activities: 24/7 system monitoring, daily backups, monthly security updates, telephone support, etc. Each service must be defined in a measurable way.
Role Definition and Responsibility Allocation
The contract must clearly define the scope of the provider's responsibility versus what remains the client's responsibility. For example, in cloud infrastructure management services - is the provider responsible for application performance or only the underlying infrastructure? Who is responsible for data backup - the provider, client, or shared between them?
Pricing Mechanism and Payment Structure
MSA contracts typically include more complex pricing models than regular service contracts. Common models include: fixed monthly fee (flat fee), usage-based pricing, tiered pricing, or a combination of several models. Ensure prices include an inflation adjustment mechanism and clear definition of additional costs.
Payment Terms and Credit Conditions
Clearly define payment schedules (typically monthly in advance), credit periods, late fees, and service suspension mechanisms for non-payment. Consider including a clause allowing continued minimal service even in case of debt to prevent irreversible damage to the client's business.
Service Level Agreements (SLA) and Performance Metrics
The Service Level Agreement (SLA) is the beating heart of every MSA contract. It defines the measurable standards the provider commits to meet and the consequences of failing to meet them. A properly designed SLA transforms the abstract concept of "service quality" into concrete metrics.
Service Availability
Service availability is the most common metric, typically expressed as annual percentages. For example, 99.9% availability means the service can be unavailable for up to 8.76 hours per year. It's important to define what constitutes "unavailability" - does this include slow performance or only complete outages? Is planned maintenance included in the calculation?
Response and Resolution Times
Different response times should be defined for each problem level: critical issues (like complete service outage) warrant response within two hours, medium issues within 8 hours, and regular service requests within 24 hours. Distinguish between "response time" (when the provider begins handling the issue) and "resolution time" (when the problem is solved).
Key Performance Indicators (KPIs)
Beyond availability and response times, an MSA contract can include additional performance metrics: system recovery time after incidents (Recovery Time), full data backup completion time, first-call resolution percentage, user satisfaction ratings, and more. Each metric must be measurable, relevant, and include a clear numerical target.
SLA Non-Compliance Compensation Mechanism
What happens when the provider fails to meet SLA requirements? The common mechanism is service credits for future payments, calculated as a percentage of monthly payment based on the severity of the breach. For example, 99.5% availability instead of the guaranteed 99.9% might entitle the client to a 10% refund of the monthly payment.
Note that service credit clauses typically constitute a limitation on the provider's liability - meaning the client cannot claim additional damages beyond the agreed credit, unless the contract explicitly states otherwise.
Liability and Risk Allocation
Liability and risk allocation in MSA contracts is one of the most complex and critical aspects. In a regular contract, damage is typically limited to a specific project. In managed services agreements, provider failure can completely shut down the client's operations.
Types of Liability in MSA Contracts
Contractual liability can be divided into several categories: liability for service performance according to defined standards, liability for information confidentiality, liability for system security, and liability for damages caused to the client due to service failure. Each liability category requires separate treatment in the contract.
Liability Limitations
Managed service providers typically seek to limit their liability in several dimensions: financial limitation (cap) - liability will not exceed a certain amount, time limitation - claims must be filed within a short timeframe, damage type limitation - excluding indirect damages like lost profits or data.
Israeli law permits liability limitations in commercial agreements between businesses, but there are constraints. According to the General Contracts Law, complete exemption from liability for bodily harm or intentionally caused damage is not permitted. In B2B agreements, courts will examine whether the limitation is reasonable in relation to the service nature and consideration.
Insurance and Cross-Liability
MSA contracts should clearly define who bears insurance costs and what coverage is required. Typically, the provider is required to maintain professional liability insurance, cyber insurance, and third-party liability insurance. The client should be named as an additional beneficiary in insurance policies and require advance notice of policy cancellation or changes.
Indirect and Special Damages
One of the most sensitive points is liability for indirect damages - lost profits, reputational damage, system restoration costs, and third-party damages. Providers will try to exclude these damages from liability, while clients argue these are the expected consequences of critical managed service failure. The solution is often distinguishing between regular failure (limited liability) and fundamental breach or repeated failure (expanded liability).
Data Security and Confidentiality
Managed services agreements typically include extensive provider access to client systems and data. This raises complex legal questions related to data security, privacy protection, and commercial confidentiality, which gain special importance given developments in Israeli regulation.
Obligations Under the Privacy Protection Law
Following Amendment 13 to the Privacy Protection Law, 5741-1981, which entered into force in 2025, new obligations were created for service providers processing personal information for their clients. The provider may be considered a "data processor" and not just a service contractor, imposing direct obligations toward the Privacy Protection Authority and data subjects.
The contract should include provisions defining the service provider as a data processor, limiting information use to service provision purposes only, and requiring implementation of appropriate technical and organizational protection measures. Additionally, reporting obligations for security incidents to the authority and data subjects should be regulated, as of the date of this article.
Trade Secret Protection
A managed service provider is exposed not only to customer information but also to trade secrets, internal work processes, and sensitive business information. Comprehensive confidentiality clauses should be included defining what constitutes "confidential information," how it should be handled, and what the exceptions are (previously known information, information that became public knowledge, etc.).
Security Controls and Reporting Obligations
The contract should detail required security controls: data encryption at rest and in transit, access controls, activity logging, encrypted backups, and periodic security testing. Define what constitutes a "security incident" requiring immediate reporting and the procedures for handling it.
Data Location and Cross-Border Transfer
Clearly define where data will be stored (in Israel, European Union, United States), whether data transfer to additional countries will be permitted, and what approvals are required from the client for such transfers. Given Israel's partial recognition as a country with adequate protection level by the European Union, special attention should be paid to EU resident data.
Data Return and Deletion
Upon termination of the engagement, the process of transferring data back to the client or alternative provider should be regulated, along with timelines for deleting data from provider systems. Ensure deletion is thorough and includes backup copies, while excluding information the provider is legally required to retain.
Contract Termination and Provider Transition
Terminating a managed services agreement is more complex than terminating a regular contract, as the client depends on the provider for ongoing operation of critical systems. Planning for contract termination should begin at the drafting stage, not when termination is imminent.
Termination Reasons and Notice Procedures
Distinguish between different types of termination: natural termination at the end of the term, termination by either party without cause, and termination due to material breach. Each type requires different notice procedures - typically 30-90 days advance notice for regular termination, and 7-30 days for termination due to breach (depending on breach severity and ability to cure).
Transition Period and Overlap Services
The contract should regulate a "transition period" during which the existing provider continues to provide minimal service while the client establishes alternative arrangements or internalizes the service. This period can be under the same terms as the original engagement, or under adapted terms (for example, higher cost since the provider is not planning for long-term continuation).
Data and Documentation Transfer
The provider must transfer to the client or alternative provider all data, configuration files, documentation, passwords, and encryption keys. Define standard formats for data transfer (for example, CSV files for databases or standard templates for system configurations), and detailed timelines for each transfer stage.
Non-Competition and Non-Solicitation
A delicate question is whether to include non-competition or employee non-solicitation clauses in MSA contracts. On one hand, the client fears the provider will poach IT employees or establish competing services based on acquired knowledge. On the other hand, Israeli law limits such clauses, particularly requiring them to be reasonable in scope and time.
If choosing to include such restrictions, limit them to key employees directly involved in the service, for a short period (up to one year), and to a specific geographic area or business sector. A general clause prohibiting the provider from serving any client competitor will likely not pass the reasonableness test.
Equipment Removal and Return
If the managed service included installation of equipment or software at the client site, define who is responsible for removal, who bears the costs, and in what condition equipment should be returned. In some cases, the client may prefer to purchase the equipment at the end of the engagement, so it's advisable to establish a pricing mechanism for such purchase in advance.
Negotiation Strategy and Key Points
Negotiating a managed services contract requires a different strategy than a regular project contract. The technical complexity, high mutual dependence, and broad business impact require a calculated approach and balance between conflicting interests.
Preparation for Negotiation
Before beginning negotiations, each party should conduct a "scenario exercise" - what happens in case of a major technical failure? What if the provider encounters financial difficulties? What if the client wants to significantly change the service scope? Early understanding of possible scenarios enables preparation for critical negotiation points.
Carefully examine the financial and technical competency of the other party. A client wanting 99.99% availability but unwilling to pay for it, or a provider committing to standards they cannot meet, will inevitably lead to future conflict.
Critical Negotiation Points for Clients
From the client's perspective, emphasize defining measurable and enforceable SLAs, meaningful compensation mechanisms for non-compliance with commitments, audit rights and performance reporting, and clear definition of escalation and problem resolution processes. Also insist on flexibility in changing service scope up and down, and the right to terminate the engagement without cause with reasonable notice.
Regarding security and privacy, the client should insist on maintaining control over their information, the right to audit the provider's security measures, and immediate reporting obligation for security incidents. For companies subject to special regulation (banks, insurance companies, pharmaceutical companies), ensure the provider understands regulatory requirements and commits to compliance.
Critical Negotiation Points for Providers
The provider, in turn, will seek to limit financial and professional liability, establish a pricing adjustment mechanism (index or annual percentage), and ensure access to authorized contacts from the client for change approvals. The provider must also handle requests for service changes not included in the basic scope, so it's important to define a pricing mechanism for additional services in advance.
Pay attention to balancing SLA commitments with factors outside the provider's control - for example, problems with the client's internet network, failure of equipment not supplied by the provider, or changes to third-party systems. Negotiations should include agreed "SLA exceptions" for extraordinary circumstances.
Balance Between Flexibility and Certainty
The central tension in every MSA negotiation is between the need for flexibility (services must evolve with the client) and the need for certainty (both parties need to know what they're agreeing to). The solution is often an "agreed change" mechanism allowing adjustments under predefined conditions, and periodic "service review" (typically quarterly or semi-annually) to examine the need for updates.
With rapid technological system development and changes in the regulatory environment, MSA contract success depends on both parties' ability to collaborate in a long-term partnership approach, not just formal supplier-client relations.
The information contained in this article is general in nature and does not constitute legal advice. For advice tailored to the specific circumstances of your company, we invite you to contact our firm.
