Legal & Security Review Basics

Legal and security review are where deals slow to a walk. Customer counsel queues are the throughput constraint; security review queues at large enterprises routinely run 4–8 weeks. Both are predictable, both are addressable, and both are the most-overlooked workstreams in a typical sales motion.

Standard enterprise paper consists of:

• MSA (Master Services Agreement) — umbrella terms; negotiated once, persistent
• Order Form / SOW — what is being purchased on this transaction
• DPA (Data Processing Agreement) — required under GDPR and similar regimes
• SLA — uptime, support response, remedies
• Security exhibit — your security program summary, incident response, sub-processor list
• BAA (healthcare) — Business Associate Agreement under HIPAA
• FedRAMP / regulated addenda — sector-specific

Knowing which apply to this customer before legal engages is non-negotiable. Mismatched packages restart the cycle.

Security review typically follows a sequence:

1. Initial questionnaire — SIG, CAIQ, or customer-specific spreadsheet (often 100–300 questions)
2. Documentation review — SOC 2 Type II report, ISO 27001 cert, pen test summary, architecture diagrams
3. Architectural / technical review — calls with customer security architects on data flow, encryption, access controls, sub-processors
4. Risk assessment write-up — internal customer document; you rarely see it
5. Sign-off — security signs off on the MSA package as a precondition to legal closing

Maintain a pre-completed answer library and standard documentation package. A customer security team can move 5x faster against a vendor that responds in 48 hours with curated artifacts than one that scrambles to assemble responses.

• Customer counsel queue — your deal joins the back of a line; only your sponsor can re-prioritize
• DPA sub-processor disagreements — customer wants approval rights on additions; you typically resist
• Liability cap negotiation — customer wants higher cap; you have a hard ceiling
• Indemnity scope — IP indemnity is standard; customer often asks for broader cyber/breach indemnity
• Data residency — EU/regulated customers require in-region processing; if you cannot, the deal is structurally blocked
• SLA remedies — customer asks for cash credits; you offer service credits
• Termination for convenience — customer wants right to exit any time; you require minimum term
• Audit rights — customer wants on-site audit; you offer SOC 2 in lieu

Know your standard / negotiable / never on each, in writing, before negotiation begins.

Pre-empt with a four-step playbook:

1. At Stage 2 — deliver standard MSA, DPA, SLA, and security questionnaire response library to the Champion as part of the technical review pack
2. At Stage 3 — schedule legal-to-legal and security-to-security introductions; brief your counsel on this customer's known patterns (if you have prior history)
3. At Stage 4 — issue redlines in one batch with explanations, not piecemeal; offer a 60-minute call to walk through them
4. At Stage 5 — escalate any open issues to executive sponsors on both sides with specific written asks

Proactivity is the entire game. Reactive legal coordination is how clean deals slip without anyone seeing it coming.

Set buyer expectations explicitly: 'Legal and security review at companies your size typically runs 4–6 weeks. We'll start it in parallel with the business case approval to protect the timeline. Here is what we'll need from your team and when.' Customers respect candor about the timeline; they punish surprise. The MAP makes both visible.

Internal alignment determines speed. Brief in writing:

• Your counsel — customer name, deal value, target signature, deviations from standard, sponsor escalation path
• Security / TrustOps — the customer's specific questionnaire and timeline
• Deal desk — any non-standard commercial terms in flight
• Customer success — implementation expectations to align on in the SOW
• Executive sponsor — the escalation path they may need to use

Unaligned internal teams produce contradictory positions to the customer, which destroys trust faster than any redline.

A vendor was on track to close a $2.3M deal in Q3. Security review surfaced in week 8 of the quarter; the customer's security team requested an in-region processing commitment the vendor could not yet meet. The deal slipped to Q4 while the vendor stood up an EU region. A peer deal at a different customer surfaced the same requirement at Stage 2 (a single discovery question: 'do you have data-residency requirements?'). The peer team de-scoped the EU portion of the contract, structured a phased rollout, and signed in-quarter. Same constraint, different timing of discovery.