You have selected your future ERP. The vendor sends you a 40-page contract drafted by their legal team, written entirely in their favour. Commercial pressure is building: your sales rep wants to close before quarter-end, your CIO wants to start the project, your CFO wants to lock in the budget. You sign.
That is precisely the moment when many organisations commit their most expensive mistake — not in choosing the software, but in negotiating the contract.
An ERP typically stays in production at mid-market companies for seven to ten years. It is a structural relationship: your data, your processes, your teams, your regulatory compliance all depend on it. Every clause poorly negotiated today will cost you in constraints and overruns for a decade.
This guide details 12 clauses you must negotiate before signing — what vendors propose by default, what you need to secure, and the red flags that should make you put down the pen.
Why an ERP Contract Differs from a Standard Software Agreement
A Structural Information Asymmetry
At signing, the vendor knows their product intimately: its limits, the real cost of support, the likelihood that you will still be there in five years. You are just learning. That asymmetry justifies negotiating every clause carefully, rather than trusting the goodwill of a sales moment.
Three Contracts to Negotiate Simultaneously
Most ERP projects actually involve three distinct documents:
- The licence or SaaS subscription agreement: software access, user count, included modules
- The maintenance and support agreement (sometimes called AMS — Application Management Services): who handles incidents, in what timeframes, at what cost
- The hosting or managed-services agreement: where your data lives and who is responsible for it
Negotiate all three as a package. A vendor that accepts strict SLAs on the licence but leaves support terms vague has simply shifted the risk. Demand consistency across all three documents before signing any one of them.
The 12 Clauses You Must Negotiate
Clause 1: Contractualised Functional Scope
What the vendor proposes by default: a vague formulation (“ERP with finance, procurement and sales modules”) with a reference back to “the commercial proposal” — which is not annexed to the contract.
What you must obtain: a comprehensive functional annex listing every module, every included feature, user volumes, and planned integrations. This annex must be signed by both parties and constitute a binding contractual exhibit.
Red flag: any contract that references “the commercial proposal” without attaching it. If a dispute arises over scope, you will have no recourse.
Clause 2: Contractualised Schedule with Milestones and Delay Penalties
What the vendor proposes by default: “indicative” dates, a schedule “subject to client team availability”, with no penalty for vendor-side delays.
What you must obtain: fixed contractual milestones (UAT delivery, go-live, project close-out), with a delay penalty of 0.5 to 1% of the total project value per month of overrun attributable to the vendor. Contractually distinguish delays caused by the vendor from those caused by the client.
Important nuance: delay penalties are uncomfortable for vendors, but their very presence in the contract disciplines schedules. A vendor that refuses any delay penalty is implicitly telling you they manage their resources around their own margins, not your timeline.
Clause 3: Production SLA (Availability and Response Time)
What the vendor proposes by default: an undefined availability SLA, or one defined with broad exclusions (maintenance windows, “force majeure”, third-party incidents).
What you must obtain: for a production SaaS ERP, a minimum 99.5% availability SLA (approximately 3.6 hours of tolerated downtime per month), with planned maintenance windows notified 72 hours in advance. In the event of breach: automatic service credits calculated on the monthly invoice.
Watch out for: how downtime is measured. An SLA calculated on an annual basis can mask critical periods (month-end, financial closes). Demand rolling monthly measurement.
Clause 4: Data Reversibility and Portability
This is the single most important clause in the contract, and the one vendors defend most vigorously.
What the vendor proposes by default: no explicit obligation to return data on exit, or vague wording (“we will provide your data on request”).
What you must obtain: a contractual obligation to deliver the entirety of your data in a standard format (CSV, SQL, XML or JSON) within 30 calendar days of any termination, at no extra cost. The format must be specified in a technical annex.
Absolute red flag: a vendor that refuses to specify the export format. Your data belongs to your organisation, not to your vendor. GDPR’s right to data portability reinforces this. If the vendor cannot commit to this before signing, it is a disguised refusal.
Clause 5: Price Escalation Terms
What the vendor proposes by default: annual revision indexed to a labour-cost index (such as SYNTEC in France, or similar regional indices), with no cap.
Why this is a risk: labour-cost indices in the IT services sector have risen significantly in recent years. Over a five-year contract with no cap, cumulative compounding can exceed 20–25% licence cost inflation.
What you must obtain: a contractual annual price-increase cap (for example: index variation capped at 3% per year), with an automatic renegotiation clause if the increase exceeds that threshold.
Clause 6: Change of Control Clause (Vendor Acquisition)
What the vendor proposes by default: silence. The contract says nothing about what happens if the vendor is acquired.
Why this is real: the ERP market has been consolidating for years — through PE-backed roll-ups, acquisitions of mid-market publishers, and platform plays by larger groups. An acquisition can change the product roadmap, support terms, or pricing policy.
What you must obtain: a right to terminate without penalty within 90 days if the vendor is acquired by a direct competitor in your sector or by a fund whose policy is incompatible with service continuity.
Clause 7: Ownership of Custom Developments
What the vendor proposes by default: custom developments you fund belong to the vendor or are absorbed into their standard codebase.
What you must obtain: depending on your negotiating leverage, aim for joint ownership of client-funded developments or, at minimum, a perpetual licence to use those developments independently of contract continuity. Minimum fallback: access to the source code of custom developments placed in escrow.
Clause 8: Data Location and Extraterritorial Law Exposure
What the vendor proposes by default: data is hosted “in the cloud” or “in a European data centre”, with no contractual specification of the exact country, and no mention of exposure to US law.
The real risk: the US CLOUD Act (2018) allows US authorities to compel companies subject to US law to produce data, even when that data is physically located in Europe. This applies to SAP, Oracle, Microsoft, Salesforce and their European subsidiaries.
What you must obtain: a contractual commitment to host data exclusively within the European Union with the country named, and a clause specifying how the vendor handles a potential US government request in light of GDPR obligations. A GDPR breach can expose your organisation to fines of up to €20 million or 4% of global annual turnover (GDPR Article 83).
Clause 9: Audit Rights and Log Access
What the vendor proposes by default: no explicit audit right in the contract.
What you must obtain: an annual audit right (with 30 days’ notice), conducted at your expense but by an auditor of your choice, and access to connection and data-access logs retained for at least 12 months. This right is essential for your GDPR compliance and for building an evidence file in the event of a dispute over an incident or malfunction.
Clause 10: Termination Conditions and Notice Period
What the vendor proposes by default: a 12-month notice period, termination only possible after an initial fixed term of 3–5 years, with penalties for early exit.
What you must obtain: a reasonable maximum 6-month notice period for any client-initiated termination, with a clear contractual distinction between termination for convenience (standard notice) and termination for vendor fault (immediate, penalty-free). List gross misconduct triggers explicitly: repeated SLA breaches, insolvency, failure on data reversibility.
Clause 11: Maintenance Guarantee for the Production Version
What the vendor proposes by default: a maintenance obligation “for the current version” with no guaranteed minimum duration.
What you must obtain: a maintenance guarantee for the deployed version for at least 3 years after go-live, with a minimum 18-month advance notice before any forced migration to a major new version. Some mid-market vendors end-of-life versions within 18–24 months to force paid upgrades. Without this clause, you will follow the vendor’s calendar, not yours.
Clause 12: Source Code Escrow
Who this clause applies to: mid-market vendors with a proprietary on-premise or SaaS solution whose ten-year viability is not guaranteed. Less relevant for SAP, Oracle or Odoo (sufficient customer base and capital to absorb a crisis); critical for vendors with annual revenue below €50 million.
What you must obtain: an escrow arrangement placing the application source code with an independent third-party custodian (such as EscrowTech, NCC Group, or equivalent), with a release protocol triggered by insolvency, cessation of activity, or end of maintenance. The released code must allow your internal IT team or a third-party service provider to ensure corrective maintenance of the application.
What Vendors Often Refuse — and How to Hold Your Ground
Certain clauses face near-systematic refusal. Here are the most common objections and how to respond.
Refusal of data reversibility in a standard format: the vendor argues that “everything is exportable from the interface” and that this is sufficient. It is not: an interface export guarantees neither completeness, nor structured format, nor availability at termination. Response: “Without this contractual clause, we cannot demonstrate GDPR compliance on data portability rights. This is non-negotiable.”
Refusal of delay penalties: the vendor pleads “best efforts” and the unpredictability of projects. Response: propose an alternative mechanism — for example, a mandatory monthly review meeting from the first month of overrun, plus a formalised remediation plan within 15 business days. Less effective than financial penalties, but a minimally acceptable lever.
Refusal of the price-increase cap: the vendor claims they “cannot commit to the evolution of their labour costs”. Response: “Neither can we — which is why we need a predictability cap to build our multi-year budget plan.” If the refusal persists, add a mandatory renegotiation clause triggered above a threshold (for example, any annual increase exceeding 5% automatically triggers a contractual review within 60 days).
Maintenance Contracts and Integration Agreements: 5 Specific Points
The maintenance and support agreement deserves particular attention, because this is where ERP projects become costly over time:
- Distinguish corrective maintenance (bug fixes, obligation of result) from adaptive maintenance (new features, best-efforts obligation). These two types of service have different SLAs and must not be billed at the same rate.
- Specify the number of included days in the maintenance retainer and the rate for additional days. Uncapped retainer overruns are a frequent source of disputes in years 2 and 3.
- Demand a knowledge-transfer clause: at project close, the integrator must deliver functional and technical documentation for all custom developments, in a format reusable by another service provider.
- Confidentiality on third-party developments: if your integrator also works for your competitors, ensure that the custom developments you fund remain under strict NDA.
- Conditions for exiting maintenance: contractually define what you receive if you change integrators mid-contract: source code, documentation, open tickets, history of interventions.
Checklist: What to Bring to a Contract Negotiation Meeting
Before any contract negotiation meeting, verify that these 12 points are on the table:
- Comprehensive functional scope annexe, signed by both parties
- Milestones and delay penalties attributable to the vendor
- Minimum 99.5% availability SLA, measured monthly
- Data reversibility in a standard format within 30 days, at no extra cost
- Annual price-increase cap (index variation limited to X% per year)
- Change of control clause with a 90-day exit right
- Ownership or perpetual licence for custom developments
- Contractual data location in the EU, CLOUD Act handling addressed
- Annual audit right and log access (12 months retention)
- Maximum 6-month termination notice, gross misconduct triggers listed
- Current version maintenance guaranteed for 3 years minimum
- Source code escrow (for mid-market vendors)
To go further on managing your vendor relationship, read our guide on ERP vendor lock-in and reversibility and our analysis of ERP total cost of ownership. For selecting your integration partner with the same contractual rigour, see our 100-point scoring grid for comparing three integrators.
