Vendor Contract Review Checklist
Used by e-commerce operations and finance leads to review and approve vendor and partner contracts — 3PLs, suppliers, SaaS tools, influencer agreements, and reseller MAP agreements — before execution.
Contract Intake and Classification
-
Identify the counterparty and contract type
Pull the draft, the counterparty's W-9 or W-8BEN, and any prior version on file. Contract type drives downstream review — a 3PL MSA, a Klaviyo or Recharge SaaS order form, an influencer / UGC agreement, and a reseller MAP agreement each have distinct risk profiles.
Collects list -
Pull counterparty documentation
Attach W-9 / W-8BEN, certificate of insurance (COI) listing your entity as additional insured where applicable, references for new vendors, and any SOC 2 / ISO 27001 reports for SaaS counterparties handling customer data. Missing COIs are the most common reason contracts get bounced back at sign-off.
Collects file -
Classify the contract risk tier
High tier: contracts touching customer PII, payment data, regulated products (CBD, supplements, children's products), or annual spend over $100K. Medium: 3PL or supplier MSAs, multi-year SaaS, brand-sensitive influencer deals. Low: standard click-through SaaS under $25K with no customer-data access.
Collects list
Legal and Regulatory Review
-
Verify regulatory fit for the contract type
Match the contract against the applicable regimes — FTC Endorsement Guides for influencer deals, MoCRA for cosmetics suppliers, CPSC tracking-label requirements for children's product manufacturers, PACT Act for tobacco. A contract silent on regulatory responsibility usually defaults that responsibility to the brand.
-
Audit influencer FTC disclosure language
The contract must require #ad, #sponsored, or "paid partnership" disclosures conspicuous at the start of each post — not buried below the fold or in a hashtag stack. FTC has been actively enforcing on brands (not just creators) since the 2023 Endorsement Guides update. Include a takedown / correction obligation for non-compliant posts.
-
Confirm the DPA covers CCPA and GDPR obligations
For any vendor that processes EU/UK or California resident data — Klaviyo, Yotpo, Gorgias, Postscript, attribution platforms — the DPA must list subprocessors, set 72-hour breach notification, and include SCCs (Standard Contractual Clauses) for cross-border transfers. "Privacy policy on our website" is not a DPA.
-
Check restricted-product and labeling clauses
If the contract covers alcohol, CBD, supplements, cosmetics, children's products, or anything with state-by-state restrictions, confirm the supplier warrants compliance with FDA labeling, state DTC shipping rules, CPSC certification (GCC/CPC), and provides indemnification for compliance failures.
-
Validate sales-tax responsibility allocation
For 3PL, dropship, and fulfillment contracts, confirm which party is the seller of record and bears nexus / collection responsibility post-Wayfair. For marketplace agreements, confirm marketplace-facilitator collection covers the relevant states. Misallocation here creates accumulating multi-state liability.
Financial and Payment Terms
-
Review pricing tiers and volume breaks
For 3PL contracts, confirm per-pick, per-pack, per-box, and storage rates against your forecasted volume; ask whether dimensional weight pricing applies. For SaaS, confirm overage rates — Klaviyo profile-tier jumps and Gorgias ticket overages routinely break budgets when volume seasonality is ignored.
-
Confirm payment terms and accepted methods
Net 30 ACH is standard; vendors pushing Net 15 or wire-only on a new MSA usually have collection history reasons. Confirm currency for international suppliers and who bears FX cost. Auto-debit terms on SaaS need a designated cardholder so card-expiry doesn't take Klaviyo offline mid-launch.
-
Check late-payment penalties and chargeback handling
Watch for compounding late fees over 1.5%/month and auto-suspension clauses with no cure period. For payment-processor MSAs, confirm chargeback handling, dispute response windows, and reserve / rolling-reserve mechanics — surprise reserves can choke cash flow during Q4.
SLAs and Performance Standards
-
Confirm fulfillment SLAs and ship cutoffs
For 3PLs, lock down: same-day-ship cutoff time (typically 2pm local), pick accuracy ≥ 99.5%, inventory accuracy ≥ 99%, receiving lead time, and peak-season volume commitments. Without a peak commitment in writing, your 3PL will deprioritize you in Q4 in favor of larger clients.
-
Review uptime and incident-response commitments
For storefront-critical SaaS — Shopify apps in the checkout path, Recharge, Klaviyo for transactional email — confirm 99.9%+ uptime, P1 response under 1 hour, and status-page subscription. "Best efforts" is not an SLA.
-
Define penalty credits for SLA misses
Service credits should be meaningful (10-25% of monthly fees per SLA breach), capped at the monthly fee, and stack across categories. Confirm credit issuance is automatic on report, not gated on customer-filed claim within 5 days — credits you have to chase rarely get paid.
IP, Data, and Confidentiality
-
Confirm UGC and content ownership terms
For influencer / UGC / photographer agreements, secure a perpetual, royalty-free license for use across paid social, email, web, Amazon A+, and packaging — not just "organic social." Many creators' default templates limit usage to 90 days on a single channel, which kills ad reuse.
-
Verify NDA scope and survival period
NDA should survive 3-5 years post-termination for general confidential info and indefinitely for trade secrets (formulations, sourcing, customer lists). Mutual NDA preferred. Confirm subcontractors are bound to equivalent confidentiality.
-
Review subprocessor list and breach notification
Pull the vendor's current subprocessor list; many SaaS tools chain through 10+ subprocessors. Confirm breach notification within 72 hours (GDPR floor) with cooperation on customer notification. Verify right-to-audit or SOC 2 Type II report for high-risk processors.
Termination, Renewal, and Sign-Off
-
Check auto-renewal and notice periods
Auto-renew with 90-day notice on a 3-year SaaS contract is the classic trap. Push for 30-day notice or month-to-month after initial term. Add a calendar reminder for 60 days before any auto-renewal date so the decision isn't missed.
-
Document exit and data-return obligations
For 3PLs, lock down inventory return / transfer terms and timeline (30-60 days max), and cap final-month storage fees. For SaaS handling customer data, require export in standard formats (CSV, JSON) and certified deletion within 30 days post-termination.
-
Confirm governing law and venue
Default to your home state's law and venue when possible. Watch for arbitration clauses in the vendor's home jurisdiction with class-action waivers — fine for low-stakes SaaS, problematic for a 3PL holding seven figures of inventory.
-
Route to outside counsel for high-risk review
High-tier contracts get a redline pass from outside counsel before sign-off. Send the latest draft, the risk-tier rationale, and any prior counterparty contracts on file. Budget 5-7 business days for first redlines back.
-
Execute the contract sign-off
Final approver signs via DocuSign / Dropbox Sign. File the executed copy in the contract repository tagged by counterparty, type, effective date, and renewal date. Add the renewal-notice deadline to the operations calendar.
Collects list Collects paragraph Collects signature