Question 1

What is SOC 2 Type II and should the subcontract require it?

Accepted Answer

SOC 2 (Service Organization Control 2) is an AICPA audit framework for service providers that handle customer data. A Type II report covers a period (typically 6-12 months) and evaluates the operating effectiveness of the five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Type I is a point-in-time description; Type II tests actual operating effectiveness. For IT subs handling prime-contractor or end-client data, requiring an annual SOC 2 Type II report is standard — it is the minimum evidence that the sub has documented information-security policies, access controls, encryption, monitoring, incident response, vendor management, and change management. The subcontract should require the sub to maintain SOC 2 Type II, provide the report annually (with NDA protection), and address any qualified opinions or exceptions in writing. SOC 2 Type II attestations typically cost the sub $20,000-$100,000 per year.

Question 2

Who owns the intellectual property created by an IT subcontractor?

Accepted Answer

IP ownership must be explicitly allocated in writing because the default law does not favor the hiring party. Under 17 U.S.C. § 101, work created by an independent contractor is NOT a 'work made for hire' unless (a) it falls within one of nine specific categories (contributions to a collective work, part of a motion picture, translation, supplementary work, compilation, instructional text, test, test answer, atlas) AND (b) the parties agree in writing that it is a work made for hire. Most software development and IT consulting work does not fit the nine categories, so work-for-hire language alone is insufficient. The subcontract must therefore include both a work-for-hire provision AND a separate present assignment of all intellectual property rights: 'Subcontractor hereby assigns to Prime Contractor all right, title, and interest in and to the Work Product, including all copyrights, patents, trade secrets, trademarks, and moral rights, worldwide.' Include a further-assurances clause requiring the sub to execute additional documents as needed to perfect the assignment.

Question 3

What SLA uptime commitments are standard?

Accepted Answer

SLA uptime is typically expressed as a percentage of monthly availability, with service credits for missed targets. Standard tiers: 99.9% ('three nines' = 43.2 minutes downtime/month, standard for business SaaS); 99.95% ('three-and-a-half nines' = 21.6 min/month, premium tier); 99.99% ('four nines' = 4.3 min/month, enterprise/mission-critical); 99.999% ('five nines' = 26 seconds/month, telco/financial). The subcontract should define: scheduled maintenance windows excluded from uptime calculation; force majeure events excluded; the measurement method (synthetic monitoring, customer-facing endpoint, etc.); service-credit formula (typically 5% of monthly fee per 0.1% below target, up to 30-50% cap); and exit rights if sustained underperformance (typically 3 months below SLA). SLA credits are a cap on liability, not a sole remedy — the subcontract should preserve termination rights for chronic failures.

Question 4

What is source code escrow and when is it required?

Accepted Answer

Source code escrow is a three-party arrangement where the IT sub deposits source code, build scripts, documentation, and deployment keys with an independent escrow agent (Iron Mountain, NCC Group, and EscrowTech are major providers). The escrow agent releases the code to the prime or end client upon triggering events defined in the escrow agreement — typically the sub's bankruptcy, material breach of the service agreement, discontinuation of the product, or failure to perform under a support agreement. Escrow is important when: (1) the prime or client depends on proprietary software for critical operations; (2) the sub is a small company at risk of insolvency or acquisition; (3) migration to another vendor would be prohibitively expensive or time-consuming. The subcontract should require quarterly escrow deposits, a verification release (testing that the code builds and runs), and clear release conditions. Escrow typically costs $2,000-$10,000/year and is worth the cost when the sub is critical to operations.

Question 5

How should CCPA and GDPR data-processor terms be addressed?

Accepted Answer

When the IT sub processes personal data on behalf of the prime or end client, data-protection law imposes direct obligations. Under the EU GDPR Article 28, a data-processor agreement must specify: subject matter and duration of processing; nature and purpose of processing; types of personal data; categories of data subjects; controller's obligations and rights. The processor must process only on documented instructions; ensure personnel confidentiality; implement technical and organizational security measures; engage sub-processors only with controller's authorization; assist the controller with data-subject rights and breach notification; delete or return data at termination; and make information available for audits. California's CCPA/CPRA (effective 2023) imposes similar service-provider requirements. The subcontract should either incorporate a Data Processing Addendum (DPA) with Standard Contractual Clauses for EU data transfers, or require a standalone GDPR-compliant DPA.

Question 6

How should breach notification work for IT subs?

Accepted Answer

The subcontract should require the IT sub to notify the prime of any security incident — defined broadly to include confirmed unauthorized access, suspicious activity, data loss, malware infection, or compromise of authentication credentials — within 24-72 hours of discovery. Notification timing depends on the data involved: HIPAA PHI breaches require notification to the upstream BA within 5-10 business days; GDPR personal data breaches must be notified to the controller without undue delay (the DPA should specify 24-48 hours to give the controller time to meet its 72-hour regulatory notification obligation); SOX Section 404 material weaknesses require prompt disclosure to auditors; PCI-DSS cardholder data breaches require notification to the acquirer within the contract timeframe. The subcontract should define a security incident, specify the notification recipient and method, require cooperation in the investigation and remediation, and require the sub to bear all costs of forensic investigation, notification, credit monitoring, and regulatory fines to the extent caused by the sub's negligence.

Question 7

What insurance does an IT subcontractor need?

Accepted Answer

Beyond standard CGL and workers' comp, IT subs need cyber liability insurance. First-party cyber coverage includes incident response costs, forensic investigation, legal review, customer notification, credit monitoring, PR/reputation management, business interruption, and cyber extortion (ransomware). Third-party coverage includes privacy and security liability, network security liability, media liability, and regulatory defense (GDPR/CCPA fines where insurable). Standard limits are $1M-$5M for mid-market IT consulting, $10M-$25M for SaaS platforms. Technology E&O (Errors & Omissions) covers professional liability for software defects, SLA failures, and consulting errors — typically $1M-$5M. The subcontract should require annual certificates of insurance naming the prime as additional insured where legally permissible (cyber policies have additional-insured limitations due to the pooled-claims nature), and require the sub to maintain coverage for 3 years after service termination for latent claims.

Question 8

What IP ownership approach is best for custom code?

Accepted Answer

For custom software and consulting deliverables, the subcontract should vest all rights in the prime (or the prime's client) through a two-step mechanism: (1) a work-for-hire declaration for deliverables that fit any of the nine 17 USC § 101 categories, plus (2) a present assignment of all intellectual property rights for everything else, explicitly including copyrights, patents, trade secrets, trademarks, and moral rights. Exclude from the assignment: the sub's pre-existing tools and libraries (with a perpetual, royalty-free license to prime for any embedded in deliverables); open-source components (with compliance obligations flowing to the sub); and the sub's residual knowledge and skills. Require the sub to disclose all pre-existing IP and open-source dependencies in a schedule. This 'assignment + pre-existing IP license' structure is the market standard and avoids the fragmentation that occurs with pure licensing.

Question 9

How should open-source license compliance be handled?

Accepted Answer

Open-source software (OSS) licenses impose obligations on users: attribution (MIT, BSD, Apache), copyleft (GPL, LGPL, AGPL), patent-license grants (Apache 2.0, MPL), and disclosure of modifications (GPL). Using GPL-licensed code in a commercial deliverable can trigger a copyleft obligation to release the entire work under GPL — a catastrophic outcome for proprietary software. The subcontract should require the sub to: maintain an OSS inventory (a Software Bill of Materials or SBOM in SPDX or CycloneDX format); comply with all OSS license terms including attribution and source disclosure; not include any OSS under AGPL, GPL, or other copyleft licenses without prior written approval from the prime; indemnify the prime for any third-party OSS claims; and warrant that the deliverables do not incorporate any OSS that would require relicensing of the prime's proprietary code. OSS scanners like FOSSA, Black Duck, or Snyk should be required as part of the sub's build pipeline.

Question 10

What is the difference between a staff augmentation and a managed service subcontract?

Accepted Answer

Staff augmentation is the placement of an IT sub's personnel under the prime's direction to supplement prime's in-house team. The prime controls the work, the sub provides the people. Classification risk is highest in staff aug because the personnel often look like prime employees to the IRS and state agencies (same desks, same supervisors, same tools). Managed services is an outcome-based model: the prime hires the sub to deliver defined results (99.9% uptime, 4-hour response time, monthly reports) and the sub controls how the work is performed. Classification risk is lower in managed services because the sub retains control of methods. The subcontract should clearly identify which model applies: staff aug agreements need strong classification documentation and careful worker-classification language; managed service agreements need detailed SLAs, KPIs, and outcome metrics. Do not mix the two in the same contract — it creates ambiguity that favors reclassification to employment on audit.

Question 11

What warranty and limitation of liability is standard?

Accepted Answer

IT subs typically warrant that (1) services will be performed in a professional and workmanlike manner; (2) deliverables will conform to documented specifications for 90 days; (3) deliverables will not infringe third-party IP rights; (4) the sub is authorized to do business and licensed as required; (5) the sub will comply with applicable law. Limitation of liability clauses typically cap the sub's total liability at 1-2x the fees paid in the prior 12 months and disclaim consequential damages (lost profits, loss of data, loss of goodwill). Exceptions to the cap and the disclaimer should include: breach of confidentiality, IP infringement indemnity, data-breach obligations, gross negligence or willful misconduct, and indemnification obligations under HIPAA/GDPR/CCPA. The prime should push back on caps that are lower than 1x fees or that exclude common liability categories. Software warranties should run 12 months from acceptance rather than delivery, especially for latent defects that only appear in production.

Question 12

How should worker classification be addressed for IT contractors?

Accepted Answer

IT staff-aug contractors face the highest classification risk because they often work alongside employees on the same projects with the same tools. The subcontract should document every factor that supports independent-contractor status: the sub is an independently incorporated business; supplies its own computer, development tools, and software licenses (or is reimbursed at cost); sets its own hours (at least nominally); can accept other clients; is paid by the hour or by deliverable with invoices rather than payroll; carries its own insurance (E&O, cyber, liability); and is responsible for self-employment taxes. The prime should not: deduct benefits; require the sub to attend all-hands meetings or team-building; assign the sub a desk or cubicle long-term; issue performance reviews; require vacation approval. California's AB 5 (Labor Code § 2775) provides a B2B exception only if 12 strict conditions are met, including written contract, business-entity status, independent clients, and performance outside the hiring party's usual business. Misclassification settlements in tech average $5,000-$25,000 per worker.

IT Subcontractor Agreement

What Is an IT Subcontractor Agreement?

When to Use an IT Subcontractor Agreement

Key Provisions

Scope & SLA

Data security & SOC 2

IP assignment

Cyber-liability insurance

Breach notification

Source code escrow

Open-source compliance

Limitation of liability

Legal Considerations

IT-Specific Issues

How to Fill Out the Agreement

Identify the parties

Scope of services

SLA and service credits

IP assignment

Data-protection DPA/BAA

Security attestations

Insurance minimums

Sign and retain

Frequently Asked Questions

Create your IT subcontract in under 10 minutes.

IT Subcontractor Agreement

What Is an IT Subcontractor Agreement?

When to Use an IT Subcontractor Agreement

Key Provisions

Scope & SLA

Data security & SOC 2

IP assignment

Cyber-liability insurance

Breach notification

Source code escrow

Open-source compliance

Limitation of liability

Legal Considerations

IT-Specific Issues

How to Fill Out the Agreement

Identify the parties

Scope of services

SLA and service credits

IP assignment

Data-protection DPA/BAA

Security attestations

Insurance minimums

Sign and retain

Frequently Asked Questions

Related Documents

Subcontractor Agreement (Hub)

Software Development Subcontractor

HIPAA Subcontractor

Non-Disclosure Agreement

IP Assignment Agreement

Create your IT subcontract in under 10 minutes.