Contract Risk Analyzer

Contract Risk Analyzer

Overview

You've got a contract. You don't have a lawyer on speed dial. This skill walks you through what actually matters.

This skill analyses five clauses that make or break deals for founders and early-stage companies:

1. Limitation of Liability — How much financial damage you're exposed to
2. Indemnities — Who pays if things go wrong
3. IP Ownership — Who owns what you create
4. Data Protection — How you handle customer/user data legally
5. Termination — How and when the contract ends (and who owes what after)

For each clause, you'll get:

• What it means (plain English, no legal jargon)
• Red flags (things that should scare you)
• Negotiation tips (what to push back on)
• Severity rating (how much this matters to your business)

⚠️ Important: This is analysis to inform your decision-making. It is NOT legal advice. Get a lawyer involved before you sign anything material. This skill is your first pass—a way to spot problems early so you know which parts to negotiate harder on.

---

When to Use This Skill

✅ Use this skill when:

• You're reviewing a vendor agreement, service contract, or partnership deal
• You have a contract but haven't engaged a lawyer yet
• You want to understand what you're actually agreeing to
• You're deciding what clauses are worth negotiating vs. accepting as-is

❌ Don't use this skill as a substitute for legal counsel on:

• M&A or major fundraising documents
• Employment or contractor agreements (different risk profile)
• Complex IP licensing deals with multiple jurisdictions
• Anything with high financial exposure or regulatory risk

---

How to Get Started

Step 1: Upload or Paste Your Contract

Share the contract (or the relevant sections). The more complete it is, the better the analysis.

Step 2: I'll Ask Clarifying Questions

• What's the relationship? (vendor, partner, client, service provider?)
• What's the deal worth? (ballpark—this affects severity ratings)
• What's your main business concern? (IP risk, liability exposure, data security, flexibility to exit?)

Step 3: You'll Get a Risk Analysis

For each of the five clauses, you'll see:

• A plain-English summary of what it says
• 🚩 Red flags (specific language to watch out for)
• 💡 Negotiation tips (what language to propose instead)
• Risk score: 🔴 High | 🟡 Medium | 🟢 Low

Step 4: Act on the Results

Decide which clauses you want to push back on, and use the suggested language in negotiations. Flag uncertain areas for your lawyer to review.

---

The Five Clauses Explained

1. Limitation of Liability

What it means: If the other party messes up and causes you financial damage, they want to limit how much they have to pay you. This clause sets a cap on your damages.

Why it matters to founders: If a vendor crashes your data, or a partner fails to deliver, you want to know the maximum you can recover. A one-sided limitation of liability clause means you're bearing all the risk.

Red flags 🚩

• Liability cap = $0 or extremely low (e.g., capped at fees you paid in one month)
• "In no event shall either party be liable for indirect, incidental, or consequential damages" (this means lost revenue, lost business opportunities don't count)
• One-sided: The other party's liability is capped, but yours isn't
• "As-is" service with no liability (especially risky if it's your core business function)
• No carve-out for gross negligence or wilful misconduct (should always exclude intentional harm)

Negotiation tips 💡

• Push for a mutual cap (same limit for both parties)
• Carve-outs matter: Make sure liability for data breaches, IP infringement, and gross negligence are NOT capped
• Proportional to the deal: If you're paying $50k/year, a $50k cap is reasonable. If you're betting your business on it, fight for higher.
• Suggest: "Limitation of Liability shall not apply to: (a) gross negligence or wilful misconduct, (b) breach of confidentiality obligations, (c) infringement of IP rights, (d) data breach or loss of data."

Risk scoring:

• 🔴 High if: Liability is capped at zero or one month of fees AND you're relying on this vendor/partner for core business
• 🟡 Medium if: Cap is reasonable but missing carve-outs for data breaches or IP infringement
• 🟢 Low if: Mutual cap, carve-outs included, proportional to deal size

---

2. Indemnities

What it means: An indemnity is a promise to reimburse the other party if a third party sues them over something you did (or didn't do). You're essentially buying their legal insurance.

Why it matters to founders: If your product infringes someone's patent, or you accidentally use someone's copyrighted content, they want you to pay for their legal defence. Broad indemnity clauses can bankrupt early-stage companies.

Red flags 🚩

• Indemnity for "any claim" (too broad; should be specific to your actions)
• Indemnity for third-party IP infringement (you're agreeing to defend them if they get sued for their IP—not your problem)
• No limitation on your indemnity obligation (should have a cap, same as liability)
• "Sole remedy" indemnity (means you can't sue them; you just have to pay)
• No notice requirement (they don't have to tell you about claims—you could owe money without knowing)
• No control over defence (they can hire expensive lawyers and bill you)

Negotiation tips 💡

• Limit scope: "Each party shall indemnify the other against claims arising from that party's breach of this agreement" (not every possible claim)
• Add notice requirement: "The indemnified party shall promptly notify the indemnifying party of any claim and grant reasonable control over defence."
• Cap it: Indemnity obligations should have the same cap as liability
• Exclude what's not your fault: "Indemnity shall not apply to claims arising from [other party's] modifications to the product/service, misuse, or negligence."
• IP indemnity tip: If they're a vendor/partner, YOU shouldn't indemnify THEM for IP infringement of their work. Flip it: they indemnify you for IP risks in their product.

Risk scoring:

• 🔴 High if: Broad, uncapped indemnity + no control over defense + no notice requirement
• 🟡 Medium if: Indemnity is reasonable but missing one or two protections
• 🟢 Low if: Capped, limited in scope, mutual, with notice and control provisions

---

3. IP Ownership

What it means: Who owns the intellectual property (code, designs, content, processes) created during the relationship?

Why it matters to founders: This is everything. If you build something valuable, you need to own it. Ambiguous IP ownership can derail fundraising, product pivots, or exits.

Red flags 🚩

• "All work product belongs to [the other party]" (you're building something you can't keep or reuse)
• "Any inventions or improvements are the company's property" (catch-all that could include stuff unrelated to the contract)
• No carve-out for pre-existing IP (they're claiming ownership of code/tools you already had)
• Ambiguous ("All work created during the term" — does this include personal projects on weekends?)
• No assignment of third-party IP (e.g., if you license open-source code, it should be clear who owns the right to use it)
• "Background IP" undefined (what counts as "background"? Your existing code? Third-party libraries?)

Negotiation tips 💡

• For independent contractors/vendors: Push for YOU to own the IP created specifically for your project

  • "All work created under this agreement shall be the exclusive property of [Founder's Company]"
  • Carve-out for vendor's background IP: "...excluding [Vendor]'s pre-existing tools, templates, and processes"

• For partnerships: Be explicit about ownership splits

  • "Jointly created IP shall be owned jointly, with each party free to use without royalty"
  • Or: "IP created by [Party A] shall be owned by [Party A]; IP created by [Party B] shall be owned by [Party B]"

• For open-source: Make clear who has the right to use it

  • "The work incorporates [specific open-source license, e.g., MIT, Apache 2.0]. Each party has the right to use the work under the terms of that license."

• Define "Background IP":

  • "Background IP means any pre-existing intellectual property owned by a party before this agreement, listed in Appendix A."

Risk scoring:

• 🔴 High if: Other party owns everything you create; no carve-out for your pre-existing work; ambiguous scope
• 🟡 Medium if: IP ownership is split but role/scope is unclear
• 🟢 Low if: Clear ownership (you own what you build), carve-outs for background IP, scope is specific

---

4. Data Protection

What it means: If you collect, store, or process customer data, user data, or any personal information, this clause says how you have to handle it legally.

Why it matters to founders: Data breaches are expensive (fines, liability, reputation damage). If you're handling data and you're not compliant, you're exposed. GDPR (Europe), CCPA (California), and other laws impose heavy fines for mishandling data.

Red flags 🚩

• No mention of data protection at all (if you handle ANY personal data, this is a problem)
• "No responsibility for data security" (you're handling data with no obligation to protect it)
• No data processing agreement (DPA) (required by law in many jurisdictions if you're processing EU/UK data)
• Data is stored indefinitely (should have a retention/deletion policy)
• No encryption requirement (especially for sensitive data)
• "We can use your data for any purpose" (should be limited to what's necessary for the contract)
• No breach notification clause (you have no obligation to tell people if their data is leaked)
• Sub-processors not disclosed (if they're using a third party to store/process data, you should know)

Negotiation tips 💡

• If you're the vendor (collecting data): Push for explicit scope

  • "We will process personal data only as necessary to provide the services and for no other purpose."
  • "Personal data shall be encrypted in transit and at rest."
  • "We will delete personal data within [30/60] days of contract termination unless legally required to retain."

• If they're collecting YOUR data: Add protections

  • "You shall implement industry-standard security measures (encryption, access controls, etc.)"
  • "You shall notify us of any data breach within 72 hours."
  • "We can request deletion of our data at any time."

• Data Processing Agreement (DPA): If anyone is handling EU/UK personal data, a DPA is legally required. Ask for it.

  • "Processor shall execute a Data Processing Agreement compliant with GDPR Article 28 (or UK GDPR equivalent)."

• Retention policy: Be explicit

  • "Personal data shall be retained only as long as necessary to fulfil the purposes stated in this agreement, typically [X days/months]."

Risk scoring:

• 🔴 High if: Handling personal data with no data protection clause; no encryption; no breach notification; no DPA when required by law
• 🟡 Medium if: Data protection clause exists but missing encryption, retention policy, or breach notification
• 🟢 Low if: Clear data handling obligations, encryption, retention policy, breach notification, DPA when applicable

---

5. Termination

What it means: How, when, and on what terms can either party end the contract? What happens to data, payments, and IP after?

Why it matters to founders: Bad termination clauses can lock you in, require expensive penalties to exit, or leave you without access to critical data or tools. Early-stage companies need flexibility.

Red flags 🚩

• "For cause only" (no termination without breach) (you're locked in even if circumstances change)
• Termination penalties / early exit fees (disproportionately high; should be proportional to contract value)
• Long notice period (30+ days is reasonable; 90+ days or more locks you in)
• No provision for immediate termination for material breach (you're stuck even if they stop performing)
• Data held hostage (no right to export your data after termination; they control it)
• No survival clause clarity (what obligations continue after termination? Should be explicit)
• "Wind-down" period costs money (you're paying to exit; watch out)

Negotiation tips 💡

• Termination rights: Push for flexibility

  • "Either party may terminate for convenience with [15-30] days' written notice."
  • "Either party may terminate immediately for material breach if not cured within [10] days of notice."

• Wind-down: If there's a wind-down period, limit it

  • "Upon termination, [Vendor] shall provide [X] days of technical support at no additional cost. Thereafter, standard rates apply."

• Data: Make sure you can get your data out

  • "Upon termination, [Vendor] shall provide all [Your Company]'s data in a standard format within [10] business days, at no cost."
  • "Vendor shall delete all [Your Company]'s data within [30] days unless legally required to retain."

• Survival clauses: Be explicit about what lasts after the contract ends

  • "The following shall survive termination: Confidentiality (for [X] years), Indemnity (for [X] years), IP ownership (indefinitely)."

• Refunds: If you've prepaid for services/licenses

  • "Any prepaid fees for unused services shall be refunded within [15] days of termination."

Risk scoring:

• 🔴 High if: No termination for convenience; heavy penalties; long notice periods; data hostage; no survival clause
• 🟡 Medium if: Termination clause exists but missing one or two protections (e.g., can exit but data provision unclear)
• 🟢 Low if: Termination for convenience with reasonable notice, data export rights, clear survival clauses, fair wind-down terms

---

Next Steps After the Analysis

1. Prioritise: Use the risk scores to decide which clauses matter most for your business
2. Negotiate: Share the suggested language from this analysis with the other party
3. Get legal eyes: Have a lawyer review the final contract before you sign
4. Document: Keep a copy of the signed contract and any amendments you negotiated

---

Disclaimers

• This skill provides analysis and guidance, not legal advice
• Every contract is different. Jurisdictions vary. Industries have different norms.
• Use this analysis to inform your decisions, not replace professional legal counsel
• Especially for high-stakes deals or unfamiliar territory, involve a lawyer early
• You (the founder) are responsible for what you agree to

---

Questions or Edge Cases?

If you have clauses that don't fit these five categories, or if your contract is industry-specific (SaaS, healthcare, fintech, etc.) with unusual terms, tell me. I can adapt the analysis.

If you're not sure which clauses are most important for your deal, describe the relationship and I can help you prioritise.