Every founder and seller knows the feeling. The buyer is sold, the demo landed, a verbal "yes" is on the table. Then the deal disappears into a fog of acronyms, MSA, DPA, SIG, SOC 2, and a verbal yes turns into a 90-page redline and a 1,200-question spreadsheet. The deal didn't die. It hit the part of enterprise selling that nobody trains you for: the gate that exists to manage the buyer's risk, not their desire.

The quick version

  • These gates aren't sales, they're risk transfer. Procurement, legal and security exist to make sure your company can't quietly become the buyer's problem. Sell to the desire; clear the gate by reducing fear.
  • Three documents do three jobs. The MSA sets the legal rules of the relationship, the DPA governs personal data, and the security questionnaire proves you won't be the breach in the headline.
  • The slow part is now the biggest part. Enterprise software deals commonly run 6–12 months, and procurement, legal and security reviews are routinely the longest single phase.
  • You can pre-empt almost all of it. A SOC 2 report, a standard DPA, a pre-filled security questionnaire and a known walk-away line on liability turn a three-month stall into a three-week process.

The idea in depth: you're being de-risked, not negotiated with

The mental model that unblocks all of this: once a deal reaches procurement, you are no longer being sold to, you are being de-risked. The economic buyer wants your product. Procurement, legal and infosec want to know what happens when something goes wrong. Who pays if you leak the data? Who owns the work? What if you go bust mid-contract? Their job is to assume you're a liability until you prove otherwise.

This is the practical face of an old idea about why firms behave the way they do. Buying from an outside vendor isn't free even after the price is agreed; there's the cost of finding you, checking you, contracting with you and policing the deal, what economists since Ronald Coase have called transaction costs. A big company's procurement function is the institution it built to manage those costs at scale. So stop reading the gate as friction. It's the buyer's risk system doing exactly what it was built to do, and your job is to be the lowest-risk option in the file.

It helps to know the cast. Three documents carry most of the weight, and they answer three different fears.

flowchart TD
    A(["Verbal 'yes' from the buyer"]) --> B(["Procurement & legal gate"])
    B --> C{"Three fears,
three documents"}
    C -->|"What are the legal rules?"| D(["MSA
liability, IP, term, exit"])
    C -->|"What about personal data?"| E(["DPA
processor duties, sub-processors"])
    C -->|"Will you be the breach?"| F(["Security questionnaire
SIG / CAIQ + SOC 2"])
    D --> G(["Signed deal"])
    E --> G
    F --> G
The enterprise gate, decoded: one "yes" splits into three risk questions, each owned by a different document. Leaders Loop

The MSA: the rules of the whole relationship

The Master Service Agreement is the constitution of the deal. It front-loads the boilerplate, liability, intellectual property, confidentiality, term and termination, dispute resolution, into one negotiation at the start, so that later orders (the Statement of Work, or order form) can be signed quickly without re-litigating the whole thing. That's the genuine efficiency of the structure: once an MSA exists, subsequent orders need far fewer negotiation cycles because the hard terms are already settled.

The clause that consumes the most negotiating energy is almost always limitation of liability. A common SaaS structure caps each party's liability at the fees paid in the prior 12 months and excludes "indirect" or consequential damages, lost profits, lost revenue, business interruption, entirely. Indemnities (your promise to cover the buyer's legal costs if, say, your software infringes someone's patent) are usually carved out of that cap, because a capped indemnity would mean almost nothing. The mistake is to settle all of this at 11pm on a Friday with the deal hanging on it. Decide your liability position before you're in the room: know your cap (often 12 months' fees), know your hard "no" (uncapped general liability), and know where you'll trade, say, a higher cap for data-breach claims, in exchange for the buyer carrying their own consequential losses.

Once a deal reaches procurement, you are no longer being sold to, you are being de-risked.

An honest limitation: none of this is legal advice, and the "standard" cap is a negotiating convention, not a law. Liability law, enforceability of damage exclusions and data-protection rules vary by jurisdiction and deal size. Treat the patterns here as a map of the terrain, then have a qualified lawyer mark your real walk-away lines for the contract in front of you. The point of knowing the patterns isn't to skip the lawyer; it's so you're not learning the vocabulary live, on the call that decides the deal.

The DPA and the security questionnaire: proving you won't be the leak

If the buyer's customers' personal data will touch your systems, a Data Processing Agreement is not optional, it's a legal requirement. Under the EU GDPR, when a "controller" (the buyer) hands personal data to a "processor" (you), the relationship must be governed by a binding written contract (Article 28). That contract has to pin down specific duties: you process data only on the controller's documented instructions, you keep it confidential, you help with breach notifications and data-subject requests, you delete or return data at the end, and, crucially, you can't bring in a sub-processor (your own cloud host, say) without the controller's prior written authorisation. The fix is dull and effective: keep a maintained, standard DPA and a current sub-processor list ready to send, so a request that looks like a blocker becomes a one-email attachment.

The security questionnaire is the buyer's infosec team asking, in spreadsheet form, "will you be the breach in our headline?" The two you'll meet most are the Standardized Information Gathering (SIG) questionnaire from Shared Assessments, a heavyweight that can run to well over a thousand questions across many risk domains, and the shorter, cloud-focused CAIQ from the Cloud Security Alliance, a set of yes/no questions that's free to download. The single best accelerant here is an independent attestation. A SOC 2 report (or ISO 27001) doesn't replace the questionnaire, but it lets you answer big chunks of it with "see attached report," and many enterprise buyers accept the SOC 2 as the supporting evidence behind your answers.

flowchart LR
    A(["Security questionnaire arrives"]) --> B{"Do you have a
maintained answer library?"}
    B -->|"Yes"| C(["Pre-fill 80%,
attach SOC 2,
return in days"])
    B -->|"No"| D(["Scramble across teams,
weeks of delay,
deal cools"])
    C --> E(["Trust built,
gate clears"])
    D --> F(["Late surprises,
renegotiation"])
The difference between a fast security review and a stalled one is almost entirely preparation, not product. Leaders Loop

Why this matters commercially: the gate is now the slow part. Enterprise software sales cycles commonly run 6–12 months, and across the industry, procurement, legal and security review have become the longest single phase of the journey, security and vendor-risk reviews alone routinely add weeks, and more when gaps surface late. The lesson connects directly to your sales process & pipeline management: a deal that's "closing" but hasn't started its security review isn't closing, it's about to discover a hidden month. Forecast the gate as a stage, not a formality.

A worked example

Illustrative figures, the numbers below are made up to show the reasoning, not real benchmarks.

A 30-person analytics startup has a £180k/year deal with a European bank. The champion is thrilled. Then three things land in the same week:

  • The MSA redline. The bank's legal team wants uncapped liability and a 30-day termination-for-convenience clause. Taken literally, that's a company-ending risk for a fee of £180k.
  • The DPA. The bank insists on EU data residency and a named sub-processor list, with the right to object to changes.
  • A 900-line SIG questionnaire, due in five business days.

The panicked version: the founder agrees to the uncapped liability to save the deal, and three engineers answer the questionnaire from scratch. The de-risked version runs differently. On liability, the startup holds its prepared line, general liability capped at 12 months' fees (£180k), plus a higher, separate cap for data-breach claims and proof of cyber-insurance to back it; that trade usually satisfies a bank's real fear (a breach) without betting the company. On the DPA, EU residency is already true and the sub-processor list already exists, so it's a same-day reply. On the questionnaire, last quarter's SOC 2 plus a maintained answer library means 80% is pre-filled and the rest is reviewed, not invented, returned in three days, not three weeks. Same deal, same product; the second team simply treated the gate as a known stage and arrived carrying the answers. Pair this with disciplined sales methodologies (MEDDIC, SPIN, Challenger, solution selling), MEDDIC's "P" for paper process exists precisely so you map this gate before you hit it.

Frequently asked questions

Whose paper should we use, ours or theirs?

Start on yours if you can; the party whose template wins the negotiation usually keeps more favourable defaults. But a large enterprise will often insist on its own MSA, and below a certain deal size that fight isn't worth it. The practical rule: push to use your paper for small and mid deals, accept theirs for genuinely large ones, and either way know your three or four non-negotiable clauses cold so you can redline fast instead of capitulating.

What's the single fastest way to speed up a security review?

Get a SOC 2 report (or ISO 27001) and build a reusable answer library. The report won't eliminate the questionnaire, but it lets you answer large sections by reference and gives the buyer's infosec team an independent attestation they already trust. The answer library, your maintained, vetted responses to common questions, turns the next questionnaire from a from-scratch project into a copy-edit. Together they're the difference between days and weeks.

The buyer wants uncapped liability. Do we have to agree?

Rarely, and almost never on general liability. The standard convention caps liability at recent fees and excludes consequential damages, with carve-outs (indemnities, breaches of confidentiality, data breaches) sitting above the cap. Uncapped everything means a £180k deal could cost you the company. The usual landing spot is a modest general cap plus a higher, specific cap for the risk the buyer actually fears, typically a data breach, backed by insurance. Get a lawyer to set your real floor.

Why does a DPA matter if our contract already covers confidentiality?

Because confidentiality and data protection are different legal regimes. If you process personal data on the buyer's behalf, GDPR Article 28 requires a binding contract with specific processor obligations, instructions, sub-processor authorisation, breach assistance, deletion, that a generic confidentiality clause doesn't satisfy. A missing or non-compliant DPA isn't just a gap in your paperwork; for a regulated buyer it can be a legal reason they cannot sign at all.

Can we just skip procurement by selling to the budget holder?

For small deals on a corporate card, sometimes. For anything material, no, and trying to route around procurement usually backfires, because the gate exists by policy and the people who run it have veto power. The better play is to bring procurement in early, ask your champion who owns legal and security sign-off, and start the security review in parallel with the commercial close rather than after it.

Related in the Toolkit

Where to go next