Question 1

What is an IT subcontractor agreement?

Accepted Answer

An IT subcontractor agreement is a contract between a primary technology company (the prime contractor or managed services provider) and an independent IT subcontractor who performs specific technology services — software development, network infrastructure, cloud migration, cybersecurity assessments, database administration, help desk support, or system integration. Unlike hiring an employee, the IT subcontractor operates as a separate business entity, controls their own methods and tools, may work for multiple clients simultaneously, and assumes responsibility for their own taxes, benefits, and insurance. The agreement governs intellectual property ownership (who owns the code, designs, and deliverables), data security and confidentiality obligations, service level agreements (SLAs), acceptance testing criteria, and the specific technology stack or standards the subcontractor must follow. IT subcontracting carries unique risks around IP ownership, data breach liability, and regulatory compliance that require specialized contractual provisions not found in general subcontractor agreements.

Question 2

Who owns the intellectual property created by an IT subcontractor?

Accepted Answer

Under default U.S. copyright law, the creator of a work owns the copyright — meaning without a written agreement, the IT subcontractor owns the code, designs, architectures, and other creative works they produce. This is the opposite of the rule for employees, whose work-for-hire creations are owned by the employer. The subcontractor agreement must include an explicit IP assignment clause that transfers ownership of all deliverables, work product, inventions, and related IP to the hiring party upon creation or upon payment. The agreement should also address: pre-existing IP (code libraries, frameworks, or tools the subcontractor brings into the project — these should be licensed, not assigned); third-party open-source components (documenting all open-source licenses used and ensuring compatibility with the project's licensing requirements); derivative works; and moral rights waivers where applicable. Without a clear IP assignment clause, the hiring party may find itself in the position of having paid for software it does not legally own.

Question 3

What data security obligations should the agreement include?

Accepted Answer

Data security provisions are critical because IT subcontractors frequently access, process, or store sensitive data — customer records, financial data, health information, authentication credentials, and proprietary source code. The agreement should require: compliance with applicable data protection regulations (GDPR for EU data, CCPA/CPRA for California consumers, HIPAA for health information, PCI DSS for payment card data, SOC 2 for service organizations); encryption standards for data at rest (AES-256) and in transit (TLS 1.2+); access controls (least privilege, multi-factor authentication, VPN requirements); incident response obligations (notification within 24-72 hours of discovering a breach); data handling upon contract termination (secure deletion with certification, return of all client data); restrictions on data storage locations (no offshore data transfer without approval); background check requirements for personnel handling sensitive data; and the right for the hiring party to conduct security audits of the subcontractor's systems and practices.

Question 4

How should service level agreements (SLAs) be structured?

Accepted Answer

SLAs define measurable performance standards the IT subcontractor must meet and the consequences of falling short. For managed services or ongoing support engagements, SLAs typically address: uptime guarantees (99.9% is standard for production systems, with calculated allowable downtime — 99.9% allows approximately 8.7 hours of downtime per year); response time targets by severity level (Severity 1/Critical: 15-minute response, 4-hour resolution target; Severity 2/High: 1-hour response, 8-hour resolution; Severity 3/Medium: 4-hour response, 2 business days; Severity 4/Low: 1 business day response, 5 business days); service credits for SLA violations (typically 5-10% of monthly fees per violation, capped at 20-30% of monthly fees); exclusions from SLA calculations (planned maintenance windows, force majeure events, issues caused by the client's systems); and reporting requirements (monthly SLA performance reports with root cause analysis for any violations). For project-based work, SLAs focus on milestone delivery dates, defect rates, and acceptance testing timelines.

Question 5

What happens to source code and documentation if the relationship ends?

Accepted Answer

The agreement should include comprehensive knowledge transfer and transition provisions: the subcontractor must deliver all source code, compiled code, configuration files, database schemas, API documentation, architecture diagrams, deployment procedures, admin credentials, and system documentation upon termination; source code should be delivered in a version-controlled repository (Git) with complete commit history; the subcontractor must participate in a transition period (typically 30-90 days) to transfer knowledge to the replacement team, at the hiring party's cost for terminations without cause; all client data must be returned and securely deleted from the subcontractor's systems with a written certification of destruction; software escrow arrangements should be considered for critical systems (the source code is held by a neutral third party and released to the client if the subcontractor ceases operations or breaches the agreement); and any license keys, API tokens, or credentials created during the engagement must be transferred or regenerated.

Question 6

How should the agreement address worker classification for IT subcontractors?

Accepted Answer

IT worker classification is heavily scrutinized because the technology sector has a high rate of misclassification disputes. The IRS, state agencies, and courts examine the degree of control the hiring party exercises over how the work is performed. Factors favoring independent contractor status include: the subcontractor uses their own equipment, development environment, and tools; they set their own hours and work location (remote work is standard in IT); they work for multiple clients; they are engaged for a defined project or deliverable rather than ongoing, indefinite work; they bear the risk of profit or loss; and they have the ability to hire their own staff. Factors that suggest employment include: working exclusively for one company on an ongoing basis; using the company's equipment and proprietary systems; attending mandatory meetings and following company processes; and having the company control not just what work is done but how it is done. California's AB 5 and similar state laws apply strict ABC tests that make IT contractor classification particularly challenging — the subcontractor must demonstrate they perform work outside the usual course of the hiring entity's business.

Question 7

What liability and indemnification provisions are appropriate for IT work?

Accepted Answer

IT subcontracting involves significant liability exposure because technology failures can cascade into business losses far exceeding the contract value — a security breach, data loss, or system outage can cost millions. The agreement should address: limitation of liability (most IT agreements cap the subcontractor's total liability at 1-2x the total contract value, or at the amount of their insurance coverage); exclusion of consequential damages (lost profits, lost data, business interruption — though the hiring party should try to carve out exceptions for IP infringement, data breaches, and confidentiality violations); indemnification for third-party claims arising from the subcontractor's work (IP infringement, data breaches, regulatory violations); professional liability (errors and omissions) insurance requirements ($1-5 million depending on project scope); cyber liability insurance requirements; and the interaction between limitation of liability clauses and insurance coverage — ensuring that insurance limits are sufficient to cover the liability cap.

Question 8

Should the agreement include non-compete or non-solicitation clauses?

Accepted Answer

Non-compete clauses are increasingly disfavored for independent contractors and are void or heavily restricted in many states (California bans them entirely for both employees and contractors; the FTC has proposed a federal ban). A narrow non-solicitation clause is more likely to be enforceable and more appropriate for a subcontractor relationship. The agreement may include: a non-solicitation of the hiring party's clients (preventing the subcontractor from directly soliciting the hiring party's end clients for competing IT services for 12-24 months after the engagement ends); a non-solicitation of employees (preventing the subcontractor from hiring or recruiting the hiring party's employees for a defined period); and a restriction on using confidential information to compete. The agreement should explicitly acknowledge that the subcontractor is free to work for other clients, including competitors, provided they do not use confidential information or violate non-solicitation restrictions. Any restrictive covenants should be reasonable in geographic scope, duration, and activity restrictions to maximize enforceability.

Question 9

How should acceptance testing be handled for IT deliverables?

Accepted Answer

Acceptance testing is the formal process by which the hiring party evaluates whether the subcontractor's deliverables meet the agreed specifications. The agreement should define: specific acceptance criteria for each deliverable (functional requirements, performance benchmarks, security standards, compatibility with existing systems); the testing methodology (unit testing, integration testing, user acceptance testing, load testing, security penetration testing); the testing period (typically 10-30 business days after delivery, depending on complexity); the process for reporting defects (categorized by severity — critical defects that prevent acceptance, major defects that must be fixed but don't prevent conditional acceptance, minor defects that can be addressed post-acceptance); the subcontractor's obligation to fix defects within a defined timeframe (5-10 business days for critical, 30 days for major); the number of test/fix cycles before the hiring party can terminate for cause (typically 2-3 failed acceptance cycles); and deemed acceptance provisions (the deliverable is deemed accepted if the client fails to provide written rejection within the testing period).

Question 10

What payment structures work best for IT subcontracting?

Accepted Answer

IT subcontracting uses several payment structures depending on the engagement type: time and materials (T&M) with rate cards — the most common for staff augmentation and ongoing support, with hourly or daily rates by skill level (junior developer, senior developer, architect, project manager) and monthly invoicing based on actual hours worked; fixed-price/lump sum for well-defined projects with clear specifications — payment tied to milestone completion (e.g., 20% at kickoff, 20% at design approval, 30% at beta delivery, 30% at final acceptance); retainer arrangements for managed services and ongoing support — a fixed monthly fee covering a defined scope of hours or services, with overages billed at pre-agreed rates; and hybrid models combining a fixed base with T&M for change requests. The agreement should specify: invoice format and required documentation (timesheets, progress reports, milestone completion evidence), payment terms (net-30 is standard, net-15 for smaller subcontractors), late payment penalties, and the right to withhold payment for deliverables that fail acceptance testing.

Component	Purpose	Key Details
Statement of Work	Defines the technology scope	Deliverables, milestones, technology stack, environments, acceptance criteria, exclusions
IP Assignment	Transfers ownership of work product	Code ownership, pre-existing IP license, open-source disclosure, moral rights waiver
Data Security	Protects sensitive information	Encryption, access controls, breach notification, GDPR/CCPA/HIPAA compliance, audit rights
Confidentiality	Restricts information disclosure	NDA terms, trade secret protection, return/destruction obligations, survival period
Service Levels	Sets performance standards	Uptime guarantees, response/resolution times, service credits, maintenance windows
Acceptance Testing	Validates deliverable quality	Test criteria, testing period, defect severity levels, fix cycles, deemed acceptance
Payment Terms	Structures compensation	T&M rates, fixed milestones, retainer, invoice format, holdback for acceptance
Transition & Exit	Ensures continuity at termination	Knowledge transfer, code handover, data return/deletion, transition assistance period

Free IT Subcontractor Agreement Forms

What Is an IT Subcontractor Agreement?

IP Ownership

Data Security

SLA Guarantees

IT Subcontractor Agreement Form Preview

IT Subcontractor Agreement

Key Components

How to Create an IT Subcontractor Agreement

Draft the Statement of Work

Establish IP and Confidentiality Terms

Define Data Security and Compliance Requirements

Set SLAs and Acceptance Testing Procedures

Structure Payment and Change Management

Address Termination, Transition, and Dispute Resolution

Frequently Asked Questions

Official Resources

Create Your IT Subcontractor Agreement