What Is A Managed Services Agreement? (2026 Updated)

If you’re running a business, chances are you rely on someone else to keep key systems working - your IT support provider, cloud services partner, cybersecurity team, or even an outsourced HR or finance platform.

That’s where a Managed Services Agreement (MSA) comes in. It’s the contract that sets out exactly what you’re getting, how it’s delivered, how issues are handled, and what happens if something goes wrong.

This guide is updated to reflect current expectations in New Zealand around service delivery, privacy, and cyber risk management - because in modern business, “we’ll sort it out as we go” usually doesn’t end well.

What Is A Managed Services Agreement?

A Managed Services Agreement is a contract where one party (the managed service provider) agrees to deliver ongoing services to another party (you, the customer) for a recurring fee.

The key idea is that this isn’t a one-off job. It’s an ongoing relationship where the provider is responsible for delivering and maintaining certain services over time - typically with performance targets, response times, and defined support processes.

Managed Services Agreements are common in:

• IT managed services (helpdesk, networks, servers, devices, software updates)
• Cloud services (hosting, monitoring, backups, patching)
• Cybersecurity services (endpoint protection, security monitoring, incident response)
• Business process outsourcing (certain ongoing admin, finance, payroll support)
• Facilities management (ongoing maintenance and operational services)

In practice, a Managed Services Agreement often works together with a Service Level Agreement (SLA) and a Statement of Work (SOW). The Managed Services Agreement usually covers the “relationship rules”, while the SLA/SOW gets specific about the services and performance standards.

If you’re getting ongoing services, it’s worth having a properly drafted Managed Services Agreement in place from day one - it helps prevent misunderstandings and gives you clear options if performance slips.

When Do You Need A Managed Services Agreement (And When A Standard Service Agreement Is Enough)?

Not every supplier relationship needs a full managed services arrangement. But if you’re paying someone monthly (or regularly) to keep something running, you’re usually in managed services territory - even if you haven’t labelled it that way.

You’ll Usually Need A Managed Services Agreement If:

• You’re paying a retainer or subscription for ongoing support
• The provider is monitoring systems and taking action without you requesting each task
• You’re relying on the provider for business-critical operations (e.g. email, POS, customer database, servers)
• You need guaranteed response times (e.g. “critical issues responded to within 1 hour”)
• The provider will access or handle personal information (customers, staff, patient/client data)

A Standard Service Agreement Might Be Enough If:

• It’s a defined one-off project (e.g. “build a website” or “install a new system”)
• There’s no ongoing monitoring or responsibility after completion
• You’re comfortable with flexible timeframes and no service-level commitments

That said, many “one-off” projects turn into ongoing support arrangements. If you can see that happening, it’s often better to set expectations upfront in a managed services-style contract, rather than patching terms later when something breaks.

Depending on the service, you might still use a broader Service Agreement framework - the important part is that the contract actually reflects how the relationship works in real life.

What Should Be Included In A Managed Services Agreement?

A good Managed Services Agreement is designed to answer the questions you and your provider will inevitably ask later - especially during a dispute, a service outage, or a pricing disagreement.

While each agreement should be tailored, here are the clauses we commonly see (and why they matter).

1. Scope Of Services (And What’s Excluded)

This is the heartbeat of the agreement. You want it to be crystal clear what the provider will do, and just as importantly, what they won’t do.

• What systems are covered (devices, servers, cloud platforms, software)
• Included services (monitoring, maintenance, patches, helpdesk, reporting)
• Excluded services (projects, major upgrades, after-hours support unless agreed)
• Assumptions and dependencies (e.g. you must keep licences current, provide access)

Vague scopes create scope creep. Scope creep leads to surprise invoices or resentment - neither is great for a long-term working relationship.

2. Service Levels (SLAs) And Support Process

Service levels usually cover:

• Response time (how quickly they acknowledge an issue)
• Resolution time (how quickly they fix it, or provide a workaround)
• Uptime commitments (especially for hosted services)
• Support channels (ticketing system, email, phone) and escalation steps
• Priority levels (critical / high / medium / low)

This is also where you should define after-hours and weekend support, and whether it’s included or charged at a different rate.

3. Fees, Invoicing, And Price Changes

Managed services are often priced as a fixed monthly fee, but there are lots of variations. Your agreement should set out:

• What the recurring fee covers (and what triggers additional charges)
• Hourly rates for out-of-scope work
• Pass-through costs (software licences, third-party subscriptions)
• When invoices are issued and when payment is due
• How and when pricing can change (e.g. annual review, CPI adjustments)

If pricing can change, it should be transparent and predictable. This also helps with compliance under the Fair Trading Act 1986 - you don’t want billing practices that could be seen as misleading or unclear.

4. Term, Renewal, And Exit (Including Transition Support)

Because managed services are ongoing, you need a realistic exit plan.

Key points include:

• Initial term (e.g. month-to-month, 12 months, 24 months)
• Auto-renewal and notice requirements
• Termination rights (for convenience vs for cause)
• What happens on exit: return of data, handover, offboarding, knowledge transfer
• Whether transition support is included or billed separately

A smooth handover matters more than people think. If your provider holds admin access, passwords, configuration knowledge, or key data, the “break-up” can seriously disrupt your business unless the agreement forces cooperation.

5. Confidentiality And Data Handling

Managed service providers often see sensitive business information - credentials, systems architecture, customer information, and internal documents.

You’ll usually want confidentiality obligations that are specific, practical, and backed by clear rules about what happens when the contract ends.

Many businesses also pair managed services with a separate Non-Disclosure Agreement, particularly during early discussions or where highly sensitive information will be shared before the managed services start.

6. Privacy, Security, And Data Breach Responsibilities

If your provider will access, store, or process personal information, privacy can’t be an afterthought.

In New Zealand, the Privacy Act 2020 sets expectations around collecting, using, storing, and disclosing personal information, and taking reasonable steps to keep it secure.

Your Managed Services Agreement should clearly cover:

• What personal information the provider can access and why
• Security controls the provider must maintain (e.g. MFA, encryption, logging)
• Restrictions on offshore hosting or subcontracting (or at least disclosure rules)
• Incident response obligations (who does what, and how quickly)
• Data breach notification responsibilities and cooperation

If your provider is handling personal information on your behalf, you may also need a Data Processing Agreement to properly document privacy responsibilities, especially where data is processed using third-party platforms or offshore infrastructure.

And if you collect customer information through your website or app, make sure your public-facing Privacy Policy matches what actually happens in practice - including whether third-party IT providers have access.

7. Intellectual Property (IP) And Ownership Of Outputs

Managed services can involve creating or modifying things like scripts, automations, dashboards, documentation, configurations, or even custom software.

Your agreement should be clear about:

• What IP each party owns before the relationship starts (pre-existing IP)
• Who owns anything created during the engagement (new IP)
• Whether you get a licence to use provider tools or templates
• Whether you can keep using certain tools after termination

This matters if you ever switch providers - you don’t want to find out your systems depend on something you’re not allowed to keep using.

8. Liability, Indemnities, And Practical Risk Allocation

This is often the most negotiated part of a Managed Services Agreement - and for good reason. If something goes wrong, the contract usually decides who carries the risk.

Common topics include:

• Limitations of liability (often capped to fees paid over a period)
• Exclusions of indirect or consequential loss
• Indemnities (e.g. for IP infringement, third-party claims, or security breaches)
• Insurance requirements (professional indemnity, cyber insurance)

A fair contract doesn’t try to make one party wear all the risk. Instead, it allocates risk to the party best able to manage it - and makes sure you’re not left without meaningful remedies.

What Laws And Compliance Issues Should You Keep In Mind In NZ?

A Managed Services Agreement isn’t just a commercial document - it’s part of your broader legal compliance and risk management.

Here are some key NZ legal areas that often come into play.

Privacy Act 2020 (Especially For IT And Cloud Services)

If personal information is involved, you need to think about access controls, storage, disclosure, and breach response. Even if the provider is the one “handling” the data, you (as the business collecting it) still have responsibilities.

This is why it’s important that privacy obligations aren’t hidden in a vague clause - they should be specific enough to guide real-world behaviour during an incident.

Fair Trading Act 1986 (Misleading Claims And Service Promises)

If a provider is promising “24/7 monitoring”, “bank-grade security”, or “guaranteed uptime”, you’ll want those claims backed up by contractual commitments.

On your side, if you’re reselling or passing on services to your own customers, make sure you don’t overpromise based on assumptions about what your provider will deliver.

Contract And Commercial Risk (Enforcement And Evidence)

In disputes, what matters is what’s written down (and what you can prove). A Managed Services Agreement helps avoid messy “he said / she said” situations by setting expectations, reporting requirements, and escalation processes.

If your provider relationship is currently based on emails and a proposal document, it’s worth tightening it up before there’s a service outage or billing dispute.

Workplace And People Issues (If The Provider Has Access To Staff Data)

Some managed service providers end up handling staff personal information (payroll systems, HR platforms, identity documents for onboarding). That raises privacy and confidentiality risks, and can also impact trust within your team if mishandled.

If your managed services arrangement touches employment systems, it’s smart to ensure your internal documents (like your Employment Contract) align with how staff information is collected and stored.

Common Managed Services Agreement Mistakes (And How To Avoid Them)

Managed services relationships usually start with good intentions. Problems tend to come from unclear expectations - not from bad people.

Here are common traps we see, and how you can avoid them.

1. Relying On A Proposal Or Quote Instead Of A Proper Agreement

A proposal is usually written to win work. It’s not always written to handle disputes, terminations, or security incidents.

If the relationship is ongoing and business-critical, you’ll want a contract that covers the full lifecycle - onboarding, delivery, changes, and exit.

2. No Clear Definitions For “Included Support”

If “support” isn’t defined, you might assume things like security patching, backups, and proactive monitoring are included - while the provider assumes it’s ticket-based helpdesk only.

Make the scope specific and put exclusions in writing, so there’s no awkward surprise later.

3. Missing Or Weak Cybersecurity And Data Breach Clauses

Cyber incidents are no longer rare edge cases. If your provider has system access, your agreement should cover the basics:

• minimum security standards
• incident notification timeframes
• cooperation with investigation and remediation
• who pays for what when something goes wrong

This is also where you’ll want to check whether the provider can subcontract work or move data offshore without telling you.

4. No Exit Plan (Or A “Hostage” Situation)

If the agreement doesn’t force the provider to cooperate on transition, you risk losing access to:

• admin accounts and passwords
• documentation and network diagrams
• platform configurations
• backup access and restore processes

A good agreement makes exit manageable - even if the relationship ends on bad terms.

5. DIY Templates That Don’t Match Your Actual Setup

It’s tempting to download a template and fill in a few blanks. The problem is that managed services vary hugely depending on your systems, data sensitivity, and operational risk.

If the contract doesn’t match the reality of what’s happening (especially around data access and service levels), it won’t protect you when you need it most.

If you’re unsure what should be customised, getting a lawyer to draft or review the agreement can save you a lot of cost and stress later.

Key Takeaways

• A Managed Services Agreement sets the legal foundation for ongoing services like IT support, cloud management, and cybersecurity, including how the service is delivered and measured.
• The agreement should clearly define the scope of services, exclusions, service levels, fees, and support processes so you’re not relying on assumptions.
• Strong privacy and security clauses are essential where the provider can access personal information, particularly under the Privacy Act 2020.
• A practical exit and transition plan is critical, especially where the provider controls admin access, documentation, backups, or key systems.
• Managed services often involve IP issues (like scripts, documentation, or configurations), so ownership and licensing should be addressed upfront.
• Generic templates can miss business-critical details, so tailored drafting or a review is usually the safest option for long-term protection.

If you’d like help drafting or reviewing a Managed Services Agreement, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.