Question 1

What is a work breakdown structure and why does it matter?

Accepted Answer

A work breakdown structure (WBS) is a hierarchical decomposition of the total scope into manageable sections. For software development subcontracts, a WBS typically decomposes the project into phases (requirements, design, implementation, testing, deployment), then into features, then into individual tasks with estimated hours. The WBS is the foundation of accurate pricing, scheduling, and scope control. The subcontract should require the sub to deliver a WBS as an early deliverable (often the first milestone), use it as the basis for pricing milestones and change orders, and update it when scope changes. Without a WBS, 'additional features' become continuous scope creep that erodes margin and creates disputes. The PMI PMBOK Guide specifies WBS best practices. Modern agile teams use product backlogs and sprint plans as equivalents, but the contract should still require measurable deliverables at defined milestones.

Question 2

How should acceptance criteria be defined?

Accepted Answer

Acceptance criteria define when a deliverable is complete and ready for payment. Best practice is to include: a written test plan for each milestone specifying which tests must pass before the deliverable is accepted; acceptance criteria as part of each user story or sprint ticket; performance benchmarks (response time, throughput, concurrent users, uptime); compatibility requirements (browsers, devices, operating systems); security requirements (OWASP Top 10, penetration test findings resolution); documentation requirements (API docs, deployment guide, admin manual). The subcontract should require the sub to deliver against the written acceptance criteria, conduct its own testing before delivery, remediate failed tests at no additional cost, and trigger payment only upon the prime's written acceptance. Without written acceptance criteria, the prime has to pay for subjective deliverables and loses leverage on quality.

Question 3

How should IP ownership be structured for custom software?

Accepted Answer

Custom software IP must be vested in the prime (or the end client) through a two-step mechanism: (1) a work-for-hire declaration for deliverables fitting the nine categories in 17 USC § 101, plus (2) a present assignment of all intellectual property rights — copyrights, patents, trade secrets, trademarks, and moral rights — for everything else. Software development rarely fits the nine 17 USC § 101 categories (no exception for computer programs), so work-for-hire language alone is insufficient. The subcontract must include explicit present-assignment language: 'Subcontractor hereby assigns to Prime all right, title, and interest in and to the Work Product, including all copyrights, patents, trade secrets, trademarks, and moral rights, worldwide.' Exclude from the assignment: pre-existing tools and libraries with a perpetual royalty-free license to prime; open-source components with compliance obligations flowing to the sub; and the sub's residual knowledge and skills. Require a further-assurances clause binding the sub to execute additional documents needed to perfect the assignment.

Question 4

What is source code escrow and when is it required for software subs?

Accepted Answer

Source code escrow is a three-party arrangement where the sub deposits source code, build scripts, deployment documentation, and environment keys with an independent escrow agent (Iron Mountain, NCC Group, or EscrowTech) for release to the prime upon triggering events. For custom-software subcontracts, escrow is critical when: (1) the deliverable is mission-critical to the prime or end client's operations; (2) the sub is a small company at risk of insolvency or acquisition; (3) the sub retains ownership of platform or library code underlying the deliverable. The subcontract should require quarterly escrow deposits, a verification-release where the escrow agent tests that the code builds and runs, and clear release conditions: sub's bankruptcy, material breach of service agreement, discontinuation of product, failure to perform support obligations. Escrow typically costs $2,000-$10,000 per year. Even for staff-aug subcontracts, escrow is worth considering for specialty proprietary libraries.

Question 5

How should open-source license compliance be handled?

Accepted Answer

Open-source software licenses impose obligations on use: attribution (MIT, BSD, Apache); copyleft (GPL, LGPL, AGPL); patent-license grants (Apache 2.0, MPL); source-disclosure on distribution (GPL). Using AGPL or GPL in proprietary software triggers copyleft — the entire combined work must be released under GPL. This is catastrophic for commercial software. The subcontract should: require the sub to maintain a Software Bill of Materials (SBOM) in SPDX or CycloneDX format identifying every OSS dependency and its license; prohibit use of AGPL, GPL, LGPL, MPL, or any copyleft license without prior written approval; require compliance with all OSS license obligations (attribution, source disclosure if applicable); require the sub to indemnify the prime for any OSS infringement claim; require OSS scanning tools (FOSSA, Black Duck, Snyk) as part of the CI/CD pipeline. Failure to comply with GPL in distributed software has resulted in multi-million-dollar settlements and forced open-sourcing of proprietary code.

Question 6

What SLA and warranty should apply to software deliverables?

Accepted Answer

Software deliverables should have two distinct quality commitments: acceptance-period warranty (90 days from delivery) covering conformance to written specifications, and general warranty (12 months from acceptance) covering defects and workmanlike performance. Warranty remedies: repair at sub's cost; re-delivery of fixed version; refund of fees if repair is impractical. Running software (SaaS, managed services) adds SLA uptime (99.9% or better with service credits), response-time commitments for bug fixes (severity 1: 4 hours; severity 2: 24 hours; severity 3: 5 business days), and availability of technical support. The subcontract should require the sub to maintain a bug-tracking system accessible to the prime, commit to published response times, and cap liability at a reasonable multiple of fees (typically 1-2x, with exceptions for confidentiality, IP infringement, data breach, and gross negligence).

Question 7

What insurance should a software development subcontractor carry?

Accepted Answer

Beyond standard CGL and workers' comp: technology errors and omissions (Tech E&O) insurance covering software defects, consulting errors, and IP infringement — minimum $1M-$5M depending on project size; cyber-liability insurance with first-party (incident response, forensic, notification, credit monitoring) and third-party (privacy and security liability) coverage — minimum $1M-$5M; IP infringement specifically covered by Tech E&O or separate policy; media liability for web/mobile apps. The subcontract should require certificates of insurance, naming the prime as additional insured where legally permissible (cyber policies have limitations), with a 3-year reporting tail after termination for latent claims. Many sophisticated clients require Tech E&O of $5M+ for enterprise software work, $10M+ for mission-critical or regulated (healthcare, financial) software.

Question 8

How should worker classification apply to software development subs?

Accepted Answer

Classification risk is high in staff-augmentation software subcontracts because individual engineers often work embedded with the prime's team. California AB 5 (Labor Code § 2775) presumes employment under the ABC test; the B2B exception (Labor Code § 2776) requires twelve strict conditions including written contract, business-entity status, independent clients, and performance outside hiring party's usual business. If the sub is a software consulting firm and the prime is a software company, factor B (work outside hiring party's usual business) is difficult to satisfy. The subcontract should: require the sub to be an independently incorporated business (not a sole prop); require the sub to carry its own insurance (E&O, cyber, liability); require payment by deliverable or milestone rather than hours where possible; document that the sub has other clients and operates its own business; and require the sub to indemnify the prime for any misclassification claims by sub's workers. Staff-augmentation subs in California face particularly high reclassification exposure.

Question 9

What is a time-and-materials vs. fixed-price software subcontract?

Accepted Answer

Time-and-materials (T&M) subcontracts pay the sub for actual hours worked at an hourly rate plus reimbursable expenses. Risk is on the prime for cost overruns, but flexibility is high — useful when scope is uncertain or agile methodology is used. The prime should require: weekly time tracking with task-level detail; prior approval for non-routine expenses; a not-to-exceed (NTE) cap to limit total exposure; quarterly review of burn rate vs. estimated total. Fixed-price subcontracts pay a set price for a defined scope of work. Risk is on the sub for cost overruns — scope creep is the biggest issue. The prime should require: detailed scope and WBS before signing; clear change-order process (typically 10-20% of lump sum for non-WBS items); milestone-based payments tied to acceptance criteria; strong termination-for-convenience with fair payment for work in place. Most real-world subcontracts are a hybrid: fixed-price for the core scope and T&M for specified out-of-scope work.

Question 10

How should confidentiality be addressed?

Accepted Answer

Software development often involves access to the prime's and end client's confidential information: source code, business logic, database schemas, customer data, pricing, and product roadmaps. The subcontract should include a robust confidentiality clause (or attach a separate NDA as Exhibit C) covering: definition of confidential information (everything non-public, plus specifically identified categories); permitted uses (solely for the purpose of performing the subcontract); prohibited uses (competitive analysis, training the sub's own products, disclosure to third parties); obligations on the sub's employees and subs (written NDAs, access on need-to-know basis); DTSA whistleblower immunity language (18 USC § 1833(b)); return or destruction at termination; survival of obligations (2-5 years for confidential information, perpetual for trade secrets). For sensitive engagements (financial, healthcare, government), add a data-protection addendum with access controls, encryption, and audit rights.

Question 11

What dispute resolution applies to software subcontracts?

Accepted Answer

Software subcontracts typically use AAA Commercial Arbitration Rules (not Construction Industry Rules) because the subject matter is not construction. Mandatory mediation before arbitration is common. For U.S. disputes, venue is typically the state where the prime is headquartered, governed by that state's law. Delaware is popular for incorporated businesses due to its well-developed commercial law. Choice-of-law for international subcontracts (offshore dev teams in India, Eastern Europe, Latin America) should specify a U.S. state; the New York Convention makes U.S. arbitration awards enforceable in most countries. Include prevailing-party attorneys' fees clauses (enforceable in most states); waiver of jury trial (enforceable in most commercial contexts); and carve-outs allowing injunctive relief in court (for IP infringement, confidentiality breach, or non-competition disputes). Software IP cases benefit from injunctive relief, which arbitration cannot fully provide.

Question 12

How should termination and handoff be structured?

Accepted Answer

Software subcontract termination requires careful handoff to avoid disruption. Termination-for-convenience with 30-60 days' notice and payment for work in place is standard. Termination-for-default with 30-day cure period typically triggers the prime's right to take over the work, complete with another sub, and back-charge excess costs. Essential termination provisions: immediate return or transfer of all source code, documentation, credentials, and data; transition assistance at sub's rate (typically 30-60 days) with the outgoing sub available to answer questions; knowledge transfer documentation (architecture diagrams, API documentation, deployment runbooks, known issues); delivery of all completed and in-progress work with an accounting of what was not completed; return of all prime-provided hardware, credentials, and materials; and final invoice within 30 days of termination. The subcontract should specifically address what happens to the source code repository — transfer ownership of GitHub/GitLab repos, revoke sub's access, preserve version history.

Software Development Subcontractor Agreement

What Is a Software Development Subcontractor Agreement?

When to Use a Software Development Subcontractor Agreement

Key Provisions

Scope & WBS

IP assignment

OSS compliance

Source code escrow

Insurance

SLA & warranty

Confidentiality

Termination & handoff

Legal Considerations

Software-Specific Issues

How to Fill Out the Agreement

Identify the parties

Scope and WBS

IP assignment structure

Pricing and milestone payments

SLA and warranty

Source code escrow and handoff

Insurance minimums

Sign and retain records

Frequently Asked Questions

Create your software subcontract in under 10 minutes.