Vendor Contract Review Checklist

Pull the draft, the counterparty's W-9 or W-8BEN, and any prior version on file. Contract type drives downstream review — a 3PL MSA, a Klaviyo or Recharge SaaS order form, an influencer / UGC agreement, and a reseller MAP agreement each have distinct risk profiles.

Attach W-9 / W-8BEN, certificate of insurance (COI) listing your entity as additional insured where applicable, references for new vendors, and any SOC 2 / ISO 27001 reports for SaaS counterparties handling customer data. Missing COIs are the most common reason contracts get bounced back at sign-off.

High tier: contracts touching customer PII, payment data, regulated products (CBD, supplements, children's products), or annual spend over $100K. Medium: 3PL or supplier MSAs, multi-year SaaS, brand-sensitive influencer deals. Low: standard click-through SaaS under $25K with no customer-data access.

Match the contract against the applicable regimes — FTC Endorsement Guides for influencer deals, MoCRA for cosmetics suppliers, CPSC tracking-label requirements for children's product manufacturers, PACT Act for tobacco. A contract silent on regulatory responsibility usually defaults that responsibility to the brand.

The contract must require #ad, #sponsored, or "paid partnership" disclosures conspicuous at the start of each post — not buried below the fold or in a hashtag stack. FTC has been actively enforcing on brands (not just creators) since the 2023 Endorsement Guides update. Include a takedown / correction obligation for non-compliant posts.

For any vendor that processes EU/UK or California resident data — Klaviyo, Yotpo, Gorgias, Postscript, attribution platforms — the DPA must list subprocessors, set 72-hour breach notification, and include SCCs (Standard Contractual Clauses) for cross-border transfers. "Privacy policy on our website" is not a DPA.

If the contract covers alcohol, CBD, supplements, cosmetics, children's products, or anything with state-by-state restrictions, confirm the supplier warrants compliance with FDA labeling, state DTC shipping rules, CPSC certification (GCC/CPC), and provides indemnification for compliance failures.

For 3PL, dropship, and fulfillment contracts, confirm which party is the seller of record and bears nexus / collection responsibility post-Wayfair. For marketplace agreements, confirm marketplace-facilitator collection covers the relevant states. Misallocation here creates accumulating multi-state liability.

For 3PL contracts, confirm per-pick, per-pack, per-box, and storage rates against your forecasted volume; ask whether dimensional weight pricing applies. For SaaS, confirm overage rates — Klaviyo profile-tier jumps and Gorgias ticket overages routinely break budgets when volume seasonality is ignored.

Net 30 ACH is standard; vendors pushing Net 15 or wire-only on a new MSA usually have collection history reasons. Confirm currency for international suppliers and who bears FX cost. Auto-debit terms on SaaS need a designated cardholder so card-expiry doesn't take Klaviyo offline mid-launch.

Watch for compounding late fees over 1.5%/month and auto-suspension clauses with no cure period. For payment-processor MSAs, confirm chargeback handling, dispute response windows, and reserve / rolling-reserve mechanics — surprise reserves can choke cash flow during Q4.

For 3PLs, lock down: same-day-ship cutoff time (typically 2pm local), pick accuracy ≥ 99.5%, inventory accuracy ≥ 99%, receiving lead time, and peak-season volume commitments. Without a peak commitment in writing, your 3PL will deprioritize you in Q4 in favor of larger clients.

For storefront-critical SaaS — Shopify apps in the checkout path, Recharge, Klaviyo for transactional email — confirm 99.9%+ uptime, P1 response under 1 hour, and status-page subscription. "Best efforts" is not an SLA.

Service credits should be meaningful (10-25% of monthly fees per SLA breach), capped at the monthly fee, and stack across categories. Confirm credit issuance is automatic on report, not gated on customer-filed claim within 5 days — credits you have to chase rarely get paid.

For influencer / UGC / photographer agreements, secure a perpetual, royalty-free license for use across paid social, email, web, Amazon A+, and packaging — not just "organic social." Many creators' default templates limit usage to 90 days on a single channel, which kills ad reuse.

NDA should survive 3-5 years post-termination for general confidential info and indefinitely for trade secrets (formulations, sourcing, customer lists). Mutual NDA preferred. Confirm subcontractors are bound to equivalent confidentiality.

Pull the vendor's current subprocessor list; many SaaS tools chain through 10+ subprocessors. Confirm breach notification within 72 hours (GDPR floor) with cooperation on customer notification. Verify right-to-audit or SOC 2 Type II report for high-risk processors.

Auto-renew with 90-day notice on a 3-year SaaS contract is the classic trap. Push for 30-day notice or month-to-month after initial term. Add a calendar reminder for 60 days before any auto-renewal date so the decision isn't missed.

For 3PLs, lock down inventory return / transfer terms and timeline (30-60 days max), and cap final-month storage fees. For SaaS handling customer data, require export in standard formats (CSV, JSON) and certified deletion within 30 days post-termination.

Default to your home state's law and venue when possible. Watch for arbitration clauses in the vendor's home jurisdiction with class-action waivers — fine for low-stakes SaaS, problematic for a 3PL holding seven figures of inventory.

High-tier contracts get a redline pass from outside counsel before sign-off. Send the latest draft, the risk-tier rationale, and any prior counterparty contracts on file. Budget 5-7 business days for first redlines back.

Final approver signs via DocuSign / Dropbox Sign. File the executed copy in the contract repository tagged by counterparty, type, effective date, and renewal date. Add the renewal-notice deadline to the operations calendar.