CUST-17 Master Services Agreement (MSA)

What is CUST-17 Master Services Agreement (MSA) Control?

The Master Services Agreement’s objective is to communicate an organization’s responsibilities and agreed-upon commitments with its customers. This also includes the customer’s responsibilities and other relevant information about the contract in place, such as the term, provisions, SLA, etc. Most software-based companies have a Terms of Use instead of a signed MSA with each customer. An example of an MSA is Amazon Web Services (AWS), whose customer agreement is typically agreed to by the customer, and there isn’t a signed MSA unless it was specifically requested.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, as we haven’t used them.

Contracts

Evisort

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version:

• N/A: no template for this section

Control implementation

To implement this control,

1. Work with legal counsel to draft an MSA template.
2. Work with legal counsel to draft and publish terms of use or a user agreement on the website.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

1. Provide the MSA template or most recently signed MSA with a customer.
2. Provide a link to the terms of use or user agreement on the website.

Evidence example

For the suggested action, an example is provided below:

1.   Provide the MSA template or most recently signed MSA with a customer.
   Master Services Agreement Example
2. Provide a link to the terms of use or user agreement on the website.
   AWS customer agreement