Customer Terms for Managed IT Service Providers in New Zealand

If you provide managed IT services, your customer terms do more than set out price and payment. They decide who is responsible when systems go down, what happens if a client delays giving access, how far your liability extends after a cyber incident, and whether a salesperson's promise becomes legally binding.

Many MSPs make the same mistakes: they rely on a short proposal instead of a proper contract, they promise unrealistic response times, or they copy overseas terms that do not fit New Zealand law. Others leave privacy, subcontractors, or automatic renewals vague and end up arguing about scope after the work has started.

Good customer terms should give you a practical framework for day to day service delivery and a defensible position when things go wrong. They should also reflect how managed services actually work, including remote support, third party software, ongoing monitoring, hardware procurement, and cybersecurity limitations. Here is what the agreement should cover, what New Zealand businesses should check before they sign, and where MSPs most often get caught.

Overview

Customer terms for a managed IT service provider are the contract terms that govern your relationship with business customers. They should allocate risk clearly, define the services with enough detail to avoid scope disputes, and line up with New Zealand laws that affect service providers, including consumer protection and privacy obligations where relevant.

A well drafted set of terms usually works alongside a proposal, service schedule, statement of work, or order form. The key is making sure those documents fit together and say who wins if there is a conflict.

• Define the services, exclusions, service levels, and support windows clearly.
• Set out customer responsibilities, including access, approvals, backups, and security cooperation.
• Deal with fees, invoicing, price changes, renewals, and suspension rights.
• Limit liability sensibly and address indirect loss, third party systems, and cyber incidents.
• Cover privacy, confidentiality, data handling, and any use of subcontractors or offshore tools.
• State how disputes, termination, transition out, and return of customer data will work.

What Customer Terms for Managed IT Service Provider Means For New Zealand Businesses

For a New Zealand MSP, customer terms are the main legal document that turns your sales discussions into a workable commercial arrangement. If the terms are vague, the client will often assume your broad promises are included, even when your pricing was based on narrower support.

This matters most before you accept the provider's standard terms, before you rely on a verbal promise, and before you sign a long term support arrangement with bundled licences or hardware. Founders often focus on the monthly fee, but the real legal and commercial risk sits in service scope, liability, and data handling.

What the agreement is actually doing

Your customer terms should answer a simple question: what exactly are you agreeing to provide, on what assumptions, and what happens if the arrangement changes?

For managed IT services, that usually means more than one document. You may have:

• master customer terms that apply to all clients
• a proposal or order form setting out the commercial deal
• a service schedule covering inclusions, exclusions, response targets, and supported systems
• a statement of work for projects such as migrations or onboarding
• a third party software or hardware schedule

If those documents are inconsistent, disputes become much harder to resolve. A client may point to a sales email, while you point to a limitation clause buried in your standard terms. Your contract should make the order of precedence clear.

Why New Zealand context matters

New Zealand law shapes how your terms operate, even in a business to business setting. For example, the Fair Trading Act 1986 can affect pre-contract statements and marketing claims. If you advertise "24/7 monitoring" or "enterprise grade security" but the service does not match, the issue may not be fixed just because your contract has a broad disclaimer.

The Consumer Guarantees Act 1993 can also matter in some situations. Many MSPs deal only with business clients and include a clause contracting out of the CGA where the law allows. That clause needs to be drafted properly and used in the right context. If you also support sole traders, home offices, or mixed use customers, the position may be less straightforward.

The Privacy Act 2020 is another major issue. If your services involve handling personal information for customers, including employee or client data, your terms should explain what you do with that information, what security measures apply, and whether any data is stored or accessed through overseas providers. In some cases, that may need more specific data protection wording.

Managed services are not just support

This is where founders often get caught. A managed IT arrangement can combine ongoing services, project work, software resale, cloud administration, procurement, and security monitoring in one monthly package. If you do not separate those elements, your liability and performance obligations can become hard to manage.

For example, your client may think cybersecurity monitoring means you are responsible for preventing all attacks. You may think you are only providing alerts and remediation support. The contract needs to say which interpretation is right.

Legal Issues To Check Before You Sign

The right legal checks usually focus on scope, risk allocation, and operational reality. A strong managed services contract should reflect how your team actually works, not an idealised version of the service from a sales deck.

Service scope and exclusions

Your first job is to define what is included in the monthly service and what is not. If you leave scope broad, clients may expect unlimited support, project work, or after hours assistance at no extra charge.

Your terms should spell out details such as:

• supported devices, users, locations, and operating environments
• business hours and after hours support arrangements
• remote support versus onsite attendance
• whether onboarding, audits, procurement, and strategy advice are included
• whether cybersecurity services are monitoring only or include active response
• services excluded from the fixed fee, such as projects, hardware replacement, and vendor liaison outside agreed limits

If you use service levels, define them carefully. Response time is not the same as resolution time. A ticket acknowledged within 15 minutes can still take hours or days to fix. The contract should say exactly what those measures mean.

Customer responsibilities

MSPs often forget that service quality depends on what the customer does. Your terms should say the client must provide access, maintain authorised contacts, cooperate with security recommendations, and disclose relevant system information.

You may also want clauses covering:

• customer responsibility for timely approvals and instructions
• the need to maintain licensed software and vendor support where required
• customer obligations to keep backups, unless backup management is part of your service
• the consequences if the customer refuses recommended security controls

This matters because clients sometimes reject patching, multi factor authentication, or hardware upgrades, then expect the MSP to carry the blame when an issue arises.

Fees, price changes, and payment protection

Your pricing clause should do more than set a monthly fee. It should explain what triggers extra charges, when invoices are due, whether annual price reviews apply, and what you can do if payment is late.

Before you sign, make sure the terms cover:

• setup or onboarding fees
• minimum contract terms and renewal periods
• out of scope work rates
• pass through charges for software, cloud services, and third party licences
• your right to suspend services for non-payment, subject to any notice requirements
• what happens if a vendor increases its pricing mid term

If your service depends on third party platforms, you should avoid promising that your own pricing will never change if those upstream costs rise.

Liability and indemnities

The main risk is often not whether something goes wrong, but how much exposure sits with you when it does. A sensible limitation of liability clause can be the difference between a manageable issue and a business threatening claim.

Many MSP agreements try to exclude all liability. That is rarely realistic and may not hold up in every situation. A better approach is a balanced clause that:

• caps your total liability to a stated amount or a multiple of fees paid
• excludes indirect or consequential loss, such as lost profits or business interruption
• carves out certain matters if needed, such as fraud or non-excludable rights under law
• limits liability arising from third party products, internet outages, customer systems, or events outside your control

Indemnity clauses also need care. If a customer asks you to indemnify them for any data breach, loss, or security incident, that may go far beyond what your insurance actually covers.

Privacy, confidentiality, and data handling

If your team can access personal information, payroll records, health information, customer databases, or emails, your terms should deal with privacy directly. General confidentiality wording is not enough on its own.

Consider addressing:

• whether you act only on customer instructions for personal information
• security controls and access management
• whether subcontractors or cloud tools are used
• overseas storage or remote access
• breach notification processes and who communicates with affected individuals or regulators
• what happens to data at the end of the contract

Your customer may also need a separate privacy notice or data processing schedule if the services are more sensitive or the client is a larger organisation with its own compliance requirements.

Third party tools, software, and procurement

Most managed services rely on third party vendors. Your customer terms should make clear that those products have their own terms, performance limits, and availability risks.

If you resell licences or procure hardware, set out whether you act as principal or simply arrange supply. You should also state how warranties are handled, whether returns are allowed, and who bears risk for vendor discontinuation or delays.

Termination and transition out

Exit clauses matter just as much as entry terms. Clients often focus on getting started and forget to ask how the relationship ends if the service is not working.

Your agreement should cover:

• termination for breach and for convenience
• notice periods
• early termination fees or recovery of committed costs where appropriate
• what transition assistance you will provide
• how and when customer data, credentials, documentation, and assets are returned or deleted

This is especially important where the MSP controls admin access, backup systems, domain settings, or key vendor relationships.

Common Mistakes With Customer Terms for Managed IT Service Provider

The most common contract mistakes come from using terms that are too general for the service being sold. Managed IT arrangements involve practical dependencies, and your contract needs to reflect them clearly.

Using a generic services agreement

A standard consulting contract often does not fit a managed services model. Consulting agreements may say little about uptime, support windows, remote access, monitoring tools, or ongoing subscription charges.

If your legal terms read like a one off advisory project, you may be under-protected when a long term support issue appears.

Promising outcomes you cannot fully control

Many MSPs over-promise in proposals or sales calls. Statements like "we will prevent cyber attacks" or "zero downtime" are risky because they describe outcomes affected by third party systems, user behaviour, and factors outside your control.

A better contract frames the service accurately. You can promise monitoring, response, recommendations, and support processes. You should be careful about guaranteeing total prevention or uninterrupted availability unless you can genuinely stand behind that promise.

Leaving scope in emails and verbal conversations

Clients often remember informal comments, especially if they were made before they signed. If your sales process includes bespoke concessions, those should be pulled into the formal agreement or expressly excluded.

Before you rely on a verbal promise, ask whether the final contract says the same thing. If it does not, you may face arguments about what was agreed.

Failing to contract out of the CGA where appropriate

Where you supply services to another business, it may be possible to contract out of the Consumer Guarantees Act, but only if the legal requirements are met. Many MSPs either forget this entirely or use wording that is too loose.

This does not mean every customer can be treated the same. The nature of the customer and the purpose of the services still matter, so the clause should be reviewed in context.

Ignoring privacy because the customer owns the data

Some providers assume privacy is the client's issue because the client controls the data. That is too simplistic. If your staff can access, use, store, or transfer personal information while delivering services, privacy and security obligations still matter.

Your terms should match your actual practices, especially if you use offshore support teams, remote management platforms, or cloud tools that process personal information.

Forgetting subcontractors and outsourced support

If part of your service desk, monitoring, or project delivery is handled by a contractor or another provider, your contract should say so where needed. Hidden outsourcing can create trust and compliance issues, particularly for customers in regulated sectors.

You should also make sure your subcontractor arrangements line up with the promises you make to customers on confidentiality, security, and response times.

Weak dispute and variation clauses

Customer relationships can sour when there is no practical process for changing scope or resolving disagreements. If your terms do not explain how variations are approved, clients may assume every request is part of the fixed monthly fee.

Likewise, if disputes jump straight to legal threats, a manageable issue can become expensive quickly. A simple escalation clause often helps both sides deal with operational problems before they become formal disputes.

FAQs

Do managed IT service providers need written customer terms?

In practice, yes. You can form a contract without a formal document, but written terms are the clearest way to define scope, allocate risk, and avoid arguments about what was promised.

Can an MSP limit its liability in New Zealand?

Usually, yes, but the clause needs to be drafted carefully and used in the right context. A blanket disclaimer will not always be effective, especially if it conflicts with non-excludable legal rights or misleading pre-contract statements.

Should customer terms include service levels?

Usually, yes, if your service offering refers to response times, support hours, or incident priorities. The key is to define those metrics precisely and avoid promising more than your team can consistently deliver.

What if the customer asks to use their own contract?

You should review it carefully before you sign. Customer drafted contracts often shift broad security, privacy, and indemnity risk onto the provider, and they may not reflect how managed services actually work.

Do customer terms need privacy clauses if the client owns the data?

Yes, often they do. If your services involve access to personal information, your contract should address confidentiality, security, data handling, subcontractors, and breach management.

Key Takeaways

• Customer terms for a managed IT service provider should define the services clearly, including exclusions, service levels, and support assumptions.
• Your contract should deal with fees, renewals, scope changes, non-payment, and third party vendor costs in practical terms.
• Liability clauses, indemnities, and privacy wording need special attention because MSP risk often centres on outages, cyber events, and data access.
• New Zealand issues such as the Fair Trading Act, the Consumer Guarantees Act, and the Privacy Act can affect how your terms operate.
• Founders often get caught when they rely on proposals, emails, or generic consulting agreements instead of a managed services contract tailored to the actual service model.
• Exit planning matters, so your terms should cover termination rights, transition assistance, and the return or deletion of customer data and credentials.

If you want help with service scope clauses, liability caps, privacy terms, and termination rights, you can reach us on 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.