enterprise-api-addendum

# Enterprise API Addendum Negotiation

Produces negotiation tables, clause language, decision trees, and internal readiness checklists for enterprise API addenda that layer over click-wrap terms. The addendum creates a document hierarchy (addendum → order form → DPA → SLA schedule → click-wrap) where precedence errors can elevate or gut standard terms, and misaligned indemnity or SLA clauses can create uncapped exposure.

## Pre-Draft Intake (Mandatory)

Ask every time unless user says "use defaults" or "just draft":

1. **Click-wrap API ToS** in production
2. **Governing contracts** — order form/SOW, existing MSA
3. **API spec** — endpoints, rate limits, versioning policy, criticality
4. **Data classification** — personal data, PCI/PHI, export-controlled, SSO, telemetry
5. **Commercial parameters** — fees, term, liability posture, exclusivity, MFN
6. **Partner requirements** — SLA targets, indemnity expectations, audit rights, insurance

**Defaults** (apply and label if user doesn't respond):

| Parameter | Default |
|---|---|
| Governing law / venue | Delaware / Delaware courts |
| Data sensitivity | No PCI/PHI; limited personal data |
| SLA | 99.9% monthly uptime; 24×5 support; scheduled maintenance excluded |
| Liability cap | 12 months' fees; exclude indirect; super-cap 2× for confidentiality/privacy |
| Exclusivity | None; "preferred partner" marketing only |
| Breaking changes | 90 days' notice; security patches exempt |

## Step 1: Deal Architecture and Delta Analysis

Map gaps between click-wrap and enterprise requirements:

| Clause | Click-Wrap Default | Enterprise Ask | Strategy |
|---|---|---|---|
| SLA / Uptime | "As-Is" | 99.9–99.99% with credits | Credits; exclude beta + scheduled maintenance |
| Indemnity | None or limited | Broad IP + data breach | Cap at ACV multiple; standard exclusions; control of defense |
| Liability Cap | $100 or 1 month's fees | 12–24 months'; super-caps | Tiered: general cap + super-cap for data/IP |
| Breaking Changes | At will | 90–180 days' notice; sunset | Define narrowly; exempt security patches |
| Data Rights | Broad aggregate license | Service-delivery only; strict anonymization | Precise "Anonymized" definition |
| Termination | At will | For-cause only; wind-down | Cure period; transition assistance |
| Audit Rights | None | Annual security/compliance | Once/year at Customer's expense; more if breach |

### Architecture Checklist

- [ ] Click-wrap incorporated by reference or restated?
- [ ] Addendum covers entity only or also affiliates?
- [ ] Production only or also sandbox/beta?
- [ ] Multiple docs (Order Form, DPA, Security Exhibit, SLA Schedule)?
- [ ] MFN precedence clause accidentally elevates click-wrap?
- [ ] Amendment-by-posting locked for this partner?

### Precedence Matrix

| Document | Rank | Conflict Rule |
|---|---|---|
| Enterprise API Addendum | 1 (highest) | Controls over click-wrap |
| Order Form / SOW | 2 | Controls for commercial items |
| DPA | 2–3 | Higher for privacy conflicts |
| SLA Schedule | 3 | Controls for SLA topics |
| Security Exhibit | 3–4 | Must align with SLA and incident clause |
| Click-wrap API Terms | Lowest | Incorporated subject to addendum |

**Incorporation + Lock-In Clause:**

> "The Online API Terms are incorporated by reference solely as modified by this Addendum. In the event of conflict, this Addendum controls. For the Partner only, the Online API Terms will not be amended in a manner that materially diminishes Partner's rights or increases Partner's obligations without Partner's written consent."

## Step 2: Indemnification and Liability

| Topic | Customer Ask | Vendor Default | Fallback |
|---|---|---|---|
| IP indemnity | Broad | Unmodified API, U.S. IP only | Exclude foreign patents; cap to fees; modify/replace/refund |
| Data breach | All losses/fines | Vendor's failure per Security Exhibit | Super-cap 2× fees; direct damages only |
| Customer misuse | Silent | Customer indemnifies for unlawful use | Narrow to third-party claims from Customer's apps |
| Cap amount | 2–5× or uncapped | 12 months' fees paid/payable | 24 months'; fixed dollar amount |
| Indemnity vs. cap | Outside cap | Inside cap (IP possibly outside) | IP outside general cap with separate cap |
| Excluded damages | Some consequential | Exclude all indirect/consequential/punitive | Direct only; limited confidentiality carve-out |
| Confidentiality carve-out | Uncapped | Super-cap 2× | Separate fixed cap or insurance limits |

### Key Clauses

**IP Indemnity (balanced vendor form):**

> "Provider will defend Partner against any third-party claim alleging that the unmodified API, when used in accordance with this Agreement and Documentation, infringes such third party's U.S. copyright, U.S. trade secret, or U.S. patent, and will pay damages finally awarded or agreed in settlement, provided Partner (a) promptly notifies Provider, (b) allows Provider sole control of defense and settlement, and (c) reasonably cooperates."

**IP Exclusions:**

> "Provider has no obligation to the extent a claim arises from: (i) Partner Data or Partner Applications; (ii) modifications not made by Provider; (iii) combination with items not provided by Provider; (iv) use outside scope or contrary to Documentation; (v) failure to use updates made available to avoid infringement."

**Limitation of Liability:**

> "Except for Excluded Claims, each party's aggregate liability will not exceed the fees paid or payable under the applicable Order Form in the 12 months preceding the event giving rise to the claim ('General Cap'). In no event will either party be liable for indirect, incidental, special, consequential, exemplary, or punitive damages."

**Excluded Claims / Super-Cap:**

> "'Excluded Claims' means: (a) Customer's payment obligations; (b) Customer's indemnification obligations; (c) either party's breach of confidentiality (capped at 2× General Cap); (d) Provider's IP indemnification (capped at 2× General Cap); (e) gross negligence or willful misconduct."

## Step 3: SLA, Support, and Credits

### SLA Schedule

| Metric | Value |
|---|---|
| Monthly Uptime % | 99.9% |
| Downtime definition | API not responding HTTP 2xx for ≥5 consecutive minutes |
| Measurement | Provider monitoring + logs |

**Exclusions:** Scheduled maintenance (72h notice), emergency maintenance, force majeure, Partner's systems/network, rate-limit throttling, beta features.

### Service Credits (sole and exclusive remedy)

| Monthly Uptime % | Credit (% of Monthly Fees) |
|---|---|
| < 99.9% and ≥ 99.5% | 5% |
| < 99.5% and ≥ 99.0% | 10% |
| < 99.0% | 20% |

Request within 30 days. Max aggregate: 20% monthly fees. Apply to future invoices (cash refund if no future invoices).

### Support

| Item | Default | Premium |
|---|---|---|
| Hours | 24×5 | 24×7 (additional cost) |
| P1 response | 1 hour | 30 minutes |
| P2 response | 4 hours | Negotiable |
| Dedicated TAM | Not included | Top-tier deals |

**Critical:** Distinguish response from resolution times. Resolution = "commercially reasonable efforts" only — never attach SLA credits to resolution.

**Chronic Failure:** Termination right only if uptime < 99.0% for 2 consecutive months after documented cure plan.

## Step 4: Exclusivity and Competitive Restrictions

### Decision Checklist

- [ ] What consideration supports exclusivity? (minimum spend, volume, co-development)
- [ ] Scope: which endpoints, use cases, verticals, territories?
- [ ] Term: short duration, renewable on milestones?
- [ ] Exceptions: existing customers, strategic accounts, affiliates, acquisitions?
- [ ] Remedy for breach: termination of exclusivity only (not broad damages)?
- [ ] Antitrust review needed? (especially EU/UK)

### Graduated Options

| Option | Risk | Use When |
|---|---|---|
| No exclusivity (default) | None | Standard deals |
| Preferred partner marketing | Low | Recognition without restriction |
| Limited vertical exclusivity | High | Significant committed spend + milestones |
| MFN | Medium-High | Sparingly; pricing only, similarly situated, with sunset |

**MFN Guardrails:** Similarly situated customers + pricing only. Exclude promotional/pilot/strategic deals. Prospective credit only (not retroactive). Sunset after 12 months.

## Step 5: Technical Governance and Data Rights

**Breaking Change Definition:**

> "'Breaking Change' means any modification to the API that requires Partner to modify its code to maintain existing functionality, including removal of endpoints, changes to request/response schemas, or modification of authentication methods."

**Notice & Sunset:**

> "Provider will give Partner at least [90] days' prior written notice before implementing a Breaking Change. Provider will maintain the prior version for at least [180] days following notice. This Section does not apply to changes required to address security vulnerabilities, comply with law, or prevent imminent harm."

**Audit Rights:** Once/year at Partner's expense, 30 days' notice, scope limited to security + DPA compliance. Additional audits if breach. May satisfy via SOC 2 Type II or ISO 27001.

**Data Rights:**
- Partner retains all rights in Partner Data; Provider retains all rights in API and derivatives
- Provider uses Partner Data solely to provide API Services
- Aggregate/anonymized use requires precise "Anonymized Data" definition (irreversibly de-identified; cannot be re-identified)
- If personal data in scope, incorporate DPA

## Step 6: Consolidation and Internal Alignment

### Term Sheet

| Category | Agreed/Proposed | Fallback | Owner |
|---|---|---|---|
| API scope + endpoints | | | Product |
| Fees / usage limits | | | Sales / Finance |
| SLA / support / credits | | | SRE / Support |
| Indemnity (IP) | | | Legal |
| Indemnity (data breach) | | | Legal / Security |
| Liability cap & carve-outs | | | Legal / Finance |
| Exclusivity / MFN | | | BizDev |
| Breaking changes / versioning | | | Product / Engineering |
| Term / termination | | | Legal / Sales |

### Internal Readiness

- [ ] SRE: monitoring supports SLA measurement; maintenance windows defined
- [ ] Support: hours, P1 definitions, escalation path, staffing achievable
- [ ] Security: controls and incident response match Security Exhibit
- [ ] Privacy: DPA necessity and cross-border transfer mechanism confirmed
- [ ] Finance: credit mechanism, revenue recognition, insurance adequacy confirmed
- [ ] Product/Engineering: breaking-changes notice period feasible
- [ ] Legal: precedence clause prevents unilateral click-wrap changes
- [ ] Compliance: exclusivity reviewed for antitrust implications

## Post-Draft Alignment (Mandatory)

After delivering the initial package, ask:

1. Does the delta analysis correctly capture click-wrap vs. partner gaps?
2. Are indemnity and liability positions within approved risk tolerance?
3. Has SRE confirmed SLA metrics and credits are operationally achievable?
4. Should I produce specific clause language for any section?

## Quality Checks

- Delta analysis covers all material clause categories
- Precedence matrix prevents accidental click-wrap elevation
- Indemnity includes caps, exclusions, and super-cap structure
- SLA metrics, exclusions, and credit table are complete
- Service credits specified as sole and exclusive remedy
- Breaking Change excludes bug fixes and security patches
- Exclusivity (if any) has consideration, scope, term, exceptions, remedy
- "Fees paid" vs. "fees payable" clarified in liability cap
- MFN limited to pricing only (no legal terms)
- Amendment-by-posting locked for this partner
- All clause language marked as negotiation starting points

## Red Flags — Reject or Escalate

1. Uncapped liability for confidentiality or privacy breaches
2. IP indemnity covering Partner's own applications or data
3. SLA termination right for any single-month miss
4. MFN covering legal terms (not just pricing)
5. Unilateral click-wrap amendment overrides negotiated terms
6. Resolution-time SLA commitments with credits attached
7. Uncapped service credits (no aggregate monthly max)
8. Broad exclusivity without consideration or milestones
9. Audit rights with no frequency limit or scope boundary
10. "Breaking Change" so broad it covers bug fixes and security patches

## Guidelines

- Clarify "fees paid" vs. "fees payable" in every liability cap
- Always exempt security patches and legal compliance from breaking-change notice
- Service credits must be sole and exclusive remedy for SLA breach
- Regulatory fines as indemnifiable damages: enforceability varies — flag for local counsel
- Cross-reference DPA when personal data is in scope
- Verify entity names, signature authority, and affiliate definitions before execution
- Mark uncertain enforceability positions with [VERIFY]

**Required disclaimer on every output:**

> THIS NEGOTIATION GUIDANCE IS A DRAFTING AID AND REQUIRES REVIEW BY QUALIFIED LEGAL COUNSEL. IT DOES NOT CONSTITUTE LEGAL ADVICE.