Dev agency contract templates and gotchas
Dev agency contract templates and gotchas
Dev agency contract templates in 2026 have three layers: a Master Services Agreement (MSA) that governs the relationship, Statements of Work (SOWs) that scope each engagement, and Change Orders that handle drift. The gotchas live in four clauses: IP assignment, AI-output ownership, indemnification caps, and exclusivity. Get those right and most disputes evaporate before they become invoices.
This post covers the agency-to-client side of contracts. If you're a single engineer running solo, see our guide on the contractor agreement for engineers; the dynamics are different (you're personally on the hook for IP, not a corporate entity).
The three-layer contract stack
Most dev shops we talk to run one of two broken patterns. Either they sign a single 40-page document per client (slow to negotiate, painful to amend) or they work on a one-page PO and pray (fast, until the dispute lands).
The clean pattern is three layered documents that each do one job.
| Document | Signed when | Length | Governs |
|---|---|---|---|
| Master Services Agreement (MSA) | Once per client | 8 to 15 pages | Liability, IP, payment terms, confidentiality, term and termination |
| Statement of Work (SOW) | Per engagement | 2 to 4 pages | Scope, deliverables, timeline, fees, acceptance criteria |
| Change Order | Per scope change | 1 page | Delta to a specific SOW (added scope, new timeline, fee adjustment) |
The MSA is the constitution. SOWs are the laws. Change Orders are the amendments. Negotiate the MSA once, hard. After that, every new project is a 2-page SOW that points back to the MSA, which collapses sales-cycle friction by something like 70%.
Master Services Agreement: the clauses that actually matter
Most MSAs are 80% boilerplate copied from a template. The 20% that matters lives in five places.
1. IP assignment language
The bad version: "All work product becomes the property of Client upon delivery."
The problem: "delivery" is undefined and "upon" creates a gap. If the client refuses to pay invoice 4 of 6, do they still own milestones 1 through 3? Most courts say yes, which is bad for you.
The better version:
"All Work Product, as defined in the applicable SOW, shall be assigned to Client upon Client's payment in full of all undisputed invoices for that SOW. Until such payment, Contractor retains all right, title, and interest in the Work Product, and Client receives only a limited, revocable license to evaluate the Work Product."
This is called a payment-conditional assignment. It is enforceable in 49 US states (Louisiana civil law is weirder). It turns non-payment from a collections problem into a copyright-infringement problem, which is a much shorter conversation.
2. AI-output ownership (new in 2026)
This is the clause that did not exist three years ago and now appears in every well-drafted MSA we see.
The question: when your engineers ship 4,000 lines of Cursor-generated code to a client, what exactly is being assigned? US Copyright Office guidance (updated January 2026) makes it clear that pure machine-generated output is not copyrightable. Human-edited or human-directed AI output usually is.
The clause needs to do three things:
- Acknowledge AI tools are part of the workflow (Cursor, Claude Code, Copilot, etc.)
- Confirm the agency owns or has license to all training-data outputs it produces
- Assign whatever IP rights do exist to the client, plus a backup license covering the unprotectable portions
Sample language:
"Contractor may use generative AI tools, including but not limited to large language models and code-generation assistants, in the production of Work Product. Contractor represents that (a) it has reviewed and meaningfully edited all AI-assisted output, (b) it has the right to use the tools employed under their respective terms of service, and (c) to the extent any portion of the Work Product is not eligible for copyright protection, Contractor grants Client a perpetual, irrevocable, royalty-free license to use, modify, and distribute that portion."
This is also the moment to surface what tools you actually use. Every engineer on Cadence is AI-native by default, vetted on Cursor and Claude Code fluency before they unlock bookings, which means the AI-output clause is mandatory in every Cadence-routed engagement. If your shop hasn't standardized on this yet, you're shipping legal ambiguity with every PR.
3. Payment terms and the kill fee
Net-30 is the default and the default is wrong for a 4-engineer shop. Net-30 means you're carrying 60+ days of payroll on every active client (you bill at month-end, they pay 30 days later, you've already paid two more weeks of salary). Net-15 cuts that meaningfully. Net-7 or weekly is what we'd actually recommend.
The kill fee (sometimes called a termination fee or cancellation fee) protects you against the client who signs a 12-week engagement, gets cold feet at week 3, and tries to walk. Standard structures:
| Termination point | Typical kill fee |
|---|---|
| Before engagement start | 25% of total SOW value |
| Within first 25% of timeline | 50% of remaining SOW value |
| Between 25% and 75% of timeline | 25% of remaining SOW value |
| After 75% of timeline | 0% (project is mostly done; just finish it) |
The kill fee is the line item clients will fight hardest. Hold it. Without it, you're a free option for indecisive buyers.
4. Indemnification limits (the cap)
Uncapped indemnification is how dev agencies go bankrupt over a single client. Standard pattern in 2026:
- Cap on direct damages: 1x to 2x fees paid in the prior 12 months
- Cap on indemnification: 2x to 3x fees paid in the prior 12 months
- Carve-outs from cap: IP infringement, breach of confidentiality, gross negligence
The carve-outs are where most fights happen. Clients want IP infringement carved out entirely (because if you ship code that infringes a third-party patent, the client gets sued and wants you to make them whole). You want it capped at 3x because patent-troll math is unbounded.
Compromise: carve IP indemnification out of the cap, but limit it to actual losses (no consequential damages) and require the client to tender defense (you get to pick the lawyer). This is the structure that holds up.
5. NDA scope and survival
Mutual NDAs are table stakes. Two clauses matter: a survival period (3 years post-termination for general confidential info, indefinite for trade secrets like customer lists and source architecture) and a residuals carve-out. The residuals clause says "general skills, know-how, and unaided memory" do not constitute confidential information. Without it, every engineer who finishes a client engagement becomes a contamination risk for the next one. Push hard for residuals.
Statement of Work: where scope creep lives or dies
The SOW does four things. If it does fewer than four, you'll fight about scope.
- Scope. What is being built. Be specific. "Build a checkout flow" is not a scope; "Build a single-page checkout supporting Stripe, ApplePay, GooglePay, with address validation via Smarty, fraud check via Stripe Radar, and email receipts via Postmark" is a scope.
- Out of scope. What is explicitly not being built. This is the section most agencies skip and most fights stem from. List it. "Out of scope: tax calculation, marketplace seller payouts, refund automation, subscription billing."
- Acceptance criteria. What makes the work "done." Best practice: list 5 to 10 concrete test cases the client can run, plus a sign-off deadline (default: 7 business days after delivery; silence = accepted).
- Assumptions. What you're assuming about the client environment. "Assumes Postgres 15+, Vercel deployment, existing Auth.js setup." If any assumption breaks, you fall back to a Change Order.
For more on running multiple SOWs in parallel without losing margin, see our guide on managing multiple client projects as a dev agency.
Change Order workflow: the unsexy growth lever
A clean Change Order process is the single biggest margin protector for a dev shop. It is also the single most underused.
The workflow:
- Engineer flags a scope drift in standup ("Client asked for SSO integration; not in original SOW").
- Account lead pulls the original SOW, writes a 1-page Change Order: what's added, what's the new fee, what's the new timeline.
- Client signs Change Order before any work begins on the delta.
- Change Order references the parent SOW by ID; the MSA terms still apply.
The mistake almost every agency makes: doing the work first, then sending the Change Order. Once you've shipped, the client has zero reason to negotiate, but they also have zero urgency to sign. We've seen shops carry $40,000 in unsigned Change Orders before a client churns and the receivable becomes uncollectable.
Rule: no work on a scope delta until the Change Order is signed. This will feel uncomfortable. It will also save your margin.
Dev agency pricing models in 2026 covers the question of when to bundle scope creep into a retainer vs always running it through Change Orders.
Exclusivity clauses: read these carefully
Clients sometimes ask for exclusivity ("the agency cannot work with our competitors for the duration of this engagement plus 12 months"). This is almost always a bad trade for the agency.
The math: if a client pays you $20,000/month and asks for exclusivity in fintech, you're trading the entire fintech vertical (worth far more than $20k/month in expected value) for one logo. Decline unless they're willing to pay a real exclusivity premium (typically 2x to 3x the base fee).
If you must agree, narrow the scope ("direct competitors in the consumer-facing prepaid card vertical," not "all financial services"), time-box it to 6 months max, and limit it to identical work (you can still build internal tools for a competitor; you just can't build their consumer product).
How Cadence routes around contract overhead
Most of this contract apparatus exists because traditional dev shops sign 12+ month relationships with unknown counterparties. When the engagement is weekly and the engineer is pre-vetted, you can collapse a lot of the boilerplate. Cadence handles the engineer-side contract centrally: every engineer signs a master IP assignment, AI-tooling representation, and confidentiality agreement before they unlock bookings. The founder-side terms are a single click-through at booking.
This doesn't replace your client MSA. But for the spiky portion of agency work (the 60-70% that's hard to staff), routing it through Cadence engineers under your own brand skips the contract-overhead drag entirely. For the operational side of running this hybrid model, our breakdown of agency utilization rates and what's healthy in 2026 covers how to staff the predictable vs spiky split.
Common contract gotchas (the list)
The mistakes we see most often, in rough order of how expensive they are:
- No payment-conditional IP assignment. You ship, they don't pay, and they own the code anyway. Median loss: 1 to 2 months of fees per incident.
- Uncapped indemnification. One patent troll, one bankruptcy.
- No AI-output clause. Increasingly common in 2026 audits; clients are asking and agencies are stammering.
- No kill fee. Sales cycle becomes optionality theater.
- Net-30 with no late penalty. Effectively a 30-day interest-free loan to your client.
- No Change Order discipline. $40k in unsigned scope deltas at any given time.
- Overly broad exclusivity. Trading vertical access for one logo.
- No acceptance-criteria deadline. Project sits in "client review" forever, billing frozen.
- NDA without residuals carve-out. Every engineer becomes a contamination risk.
- Verbal Change Orders. Easy to do, impossible to enforce.
If your template has more than 3 of these, it's worth a 4-hour rewrite session with a contracts lawyer ($1,500 to $3,000); it pays back on the first averted dispute. For agency-side proposal mechanics that pair with these contracts, see how to write a dev agency proposal that wins.
What to do next
Three concrete next steps based on where you are:
- No MSA template yet: start with a lawyer-reviewed template from a service like Bonsai, Better Legal, or Stripe Atlas, then customize the 5 clauses above. Budget a half day.
- Have a template but it's pre-2024: add the AI-output ownership clause this week. It's the single highest-risk gap right now.
- Template is current but signing cycles are slow: split the MSA from the SOW. Negotiate the MSA once per client; ship SOWs as 2-page documents that reference it. You'll close engagements 2 to 3 weeks faster.
Agencies running spiky client work through Cadence engineers can skip the engineer-side contracting entirely. Every engineer arrives with IP assignment, AI-tooling rep, and NDA already signed, so you only manage the client-side MSA. Earn 10% recurring as a Cadence partner on every founder you refer, or run Cadence engineers under your own brand at agency markup.
FAQ
What's the difference between an MSA and a SOW?
The MSA (Master Services Agreement) is signed once per client and governs the overall relationship: liability caps, IP terms, payment terms, confidentiality. The SOW (Statement of Work) is signed per engagement and covers project-specific scope, deliverables, timeline, and fees. SOWs always reference the parent MSA, so you negotiate the hard stuff once.
Who owns AI-generated code in a dev agency contract?
In 2026, US Copyright Office guidance says pure machine-generated output is not copyrightable, but human-edited or human-directed AI output usually is. A well-drafted contract assigns the copyrightable portions to the client and grants a perpetual royalty-free license to the non-copyrightable portions, so the client gets full practical ownership either way. The agency also represents that it has the right to use the AI tools under their terms of service.
What's a reasonable kill fee for a dev agency contract?
Standard kill fees range from 25% of total SOW value (if cancelled before start) to 50% of remaining value (cancelled in first quarter of timeline), tapering to 0% in the final quarter. Without a kill fee, you become a free option for indecisive buyers; they tie up your team's capacity then walk without cost.
Should I cap indemnification in a client contract?
Yes. Standard 2026 practice is to cap direct damages at 1x to 2x trailing-12-month fees and total indemnification at 2x to 3x, with carve-outs for IP infringement, gross negligence, and breach of confidentiality. Uncapped indemnification is how single-client disputes turn into agency bankruptcies.
How do I handle scope creep without losing the client?
Run a strict Change Order process: any scope delta goes through a 1-page Change Order with revised fees and timeline, signed before any work begins. The mistake is doing the work first and asking later, which leaves you carrying unbilled scope. A clean Change Order process actually strengthens client relationships because it makes trade-offs explicit instead of resentful.
Do I need an exclusivity clause when working with a client?
Almost never, unless the client pays a real exclusivity premium (2x to 3x base fee). Exclusivity trades your entire competitive vertical for one logo, which is rarely good math. If you must agree, narrow it to direct product competitors, time-box it to 6 months, and limit it to identical work.