NDA / MSA / DPA — the legal stack

What happens here

Real agency engagements run on a layered contract structure, not a single contract. The SOW is the project-specific document, but several other contracts surround it — some signed before the SOW, some signed alongside it, some executed during delivery. Senior engineers who see only the SOW miss most of the legal stack their engagement actually runs on.

The five named documents in agency-side legal:

• NDA (Non-Disclosure Agreement / Confidentiality Agreement). Signed before the scoping call when the client needs to share confidential information for the agency to scope the engagement. Mutual NDAs (both sides protected) are the modern default; one-way NDAs (only the client protected) are a procurement-driven anti-pattern. Lasts the duration named in the document — typically 2–5 years.
• MSA (Master Services Agreement). The umbrella legal contract between agency and client. Signed once at the start of the relationship and reused across every subsequent engagement. Covers cross-cutting terms: liability caps, indemnification, IP ownership defaults, governing law, dispute resolution, confidentiality (often subsumes the NDA), insurance requirements, sub-contractor rules. The MSA is the document that makes a relationship a partnership rather than a series of one-shot transactions.
• SOW (Statement of Work). The project-specific contract executed under the MSA. One per engagement. Covers scope, deliverables, timeline, payment, acceptance criteria, change control. The MSA’s terms govern; the SOW’s specifics apply.
• DPA (Data Processing Agreement). Required under GDPR / UK GDPR / many state-level US privacy laws (CCPA, others) whenever the agency processes personal data on the client’s behalf. Names the data categories, the processing purpose, the security measures, the sub-processors used, the breach-notification window, and the data-deletion obligations at engagement end. Signed alongside the MSA (or as an MSA addendum) for any engagement touching personal data.
• Change Order (or SOW Amendment). A formal SOW amendment executed during delivery when scope, timeline, or pricing materially change. Distinct from the operational change-control flow that runs the backlog impact assessment — the change order is the legal artefact that captures the commercial outcome. Each change order references the SOW it amends and is signed by both parties before the changed work proceeds.

Some engagements also touch peripheral contracts: client-side security questionnaires (SIG, CAIQ, custom), Business Associate Agreements (BAAs — required under HIPAA for engagements touching US healthcare data), security-incident-notification side letters, sub-contractor agreements (where the agency uses other agencies or freelancers on the engagement), and source-code escrow agreements (where the client wants insurance against agency disappearance). The five named documents above are the load-bearing core; the peripheral contracts attach as the engagement requires.

Best practices

Sign the NDA before the scoping call where it matters. A scoping call where the client cannot share their actual problem because there is no NDA is a wasted scoping call. The agency keeps a standard mutual-NDA template ready to send within 24 hours of an inbound enquiry that warrants one. Signing is a 1–2 day exercise on a known template, not a 6-week negotiation. Engagements that allow the NDA to delay the scoping call discover that competing agencies signed faster and won the engagement.

Sign the MSA once, with negotiation effort proportional to the relationship’s expected lifetime. The MSA is the contract the agency cares most about because it persists. The first engagement with a new client is the only chance to negotiate liability caps, IP terms, and indemnification language; once signed, every subsequent engagement runs under it. Mature agencies invest 2–6 weeks of legal review on a new-client MSA and reuse it across years of engagements; agencies that treat the MSA as another SOW find themselves with terms that bite at engagement five rather than at engagement one.

Use the MSA-plus-SOW pattern, not the single-contract pattern. The temptation on a one-shot engagement is to fold the legal terms into the SOW itself — one document, one signature. The pattern works for the first engagement and fails the second: when the client returns, the agency either re-negotiates the legal terms from scratch or asks the client to sign an MSA after the fact (which often does not happen). Mature agencies use the MSA-plus-SOW pattern from engagement one, even on small engagements, so the second engagement’s commercial conversation is just the new SOW.

Sign the DPA on every engagement that touches personal data, even when “we don’t really process much data.” The GDPR threshold is not the amount of personal data processed; it is whether any personal data is processed on the client’s behalf. An agency that builds an internal admin tool that handles employee names is processing personal data. The DPA names the data categories, the security measures, and the breach-notification window — and signing it is the only defensible commercial position when a regulator asks. Engagements that skip the DPA on grounds of “minimal data” discover at audit time that the regulator’s view of “minimal” differs from the agency’s.

Tip

Keep the agency’s own MSA, NDA, and DPA templates in version control alongside the engagement repos (e.g. legal/templates/). Each new engagement clones from the templates and customises only the engagement-specific fields. Two consequences: the templates accumulate the lessons of every prior engagement (one redline, once, forever), and the legal review cost on a new engagement collapses because the client’s lawyer can see exactly what changed from the standard. Engagements that draft each MSA from scratch pay multiples of the cost in legal-review cycles for documents the team had already perfected.

Caution

Do not sign a one-way NDA where only the client is protected. Mutual NDAs are the professional standard — both parties protect each other’s confidential information. One-way NDAs signal that the client’s procurement team treats the agency as a vendor rather than a partner, and they make the agency disproportionately liable while leaving its own confidential information (pricing models, methodology, candidate names) exposed. The polite professional response to a one-way NDA is to send back a mutual one as a counter; reasonable clients will sign it without comment. Clients who insist on one-way NDAs are flagging how they will treat the agency for the rest of the engagement.

Issue change orders, not change requests, when scope shifts during delivery. A “change request” is the operational artefact — the PM-owned impact assessment that decides whether to accept, reject, or scope-adjust. A “change order” is the legal artefact — a signed amendment to the SOW capturing the commercial outcome (new scope, new timeline, new price). Engagements that handle scope shifts informally — Slack messages, verbal agreements, “we’ll handle the paperwork later” — discover at month four that nobody can produce a signed record of what was agreed, and the engagement enters dispute over $50k of work that was performed without contractual cover.

Map every engagement’s data flow against the DPA before delivery starts. The DPA names data categories and purposes; the engagement’s actual data flow has to match. Mature agencies run a 30-minute data-flow review at engagement kickoff: what personal data does the system handle, where does it live, who touches it, what does the agency need to access during build and post-launch operations, what sub-processors are involved (Cloudflare? AWS? OpenAI?). Engagements that delay this review until a regulator or client-side privacy officer asks for it find the conversation goes badly.

Plan the data-deletion obligation into the engagement closeout. The DPA names what happens to client data at engagement end — deletion, return, or retention under specified terms. The obligation is real and dated; the agency cannot keep a client’s production database “just in case” without contractual cover. The engagement closeout checklist includes data-deletion verification with documented proof shared with the client. Engagements that skip this step discover at the next privacy audit that “we still had it” is not a defensible answer.

Desired outcomes

By the end of pre-sales (and ongoing throughout the engagement), the engagement has:

• A signed NDA in place before the scoping call where confidential information is exchanged, with mutual protection and a duration appropriate to the engagement type
• A signed MSA covering the cross-cutting legal terms — liability caps, indemnification, IP ownership, governing law, dispute resolution, insurance — that govern this client relationship across all engagements
• A signed SOW executed under the MSA, naming scope, deliverables, timeline, payment, acceptance criteria, and change-control mechanics for the specific engagement
• A signed DPA where personal data is in scope, naming data categories, purposes, security measures, sub-processors, breach-notification window, and data-deletion obligations at engagement end — plus a documented data-flow review confirming actual practice matches the DPA
• A defined change-order process that runs alongside the operational change-control flow, with each material scope shift producing a signed SOW amendment before the changed work proceeds
• Templated versions of NDA, MSA, and DPA in the agency’s version-controlled legal templates, accumulating each engagement’s negotiation lessons rather than redrafting from scratch
• Where applicable: BAA (HIPAA), security questionnaire responses, sub-contractor agreements, and source-code escrow — handled as peripheral contracts that attach to the core five-document stack

What the industry does

MSA-plus-SOW vs. single-contract vs. master-and-orders cultures. MSA-plus-SOW agencies — the modern default — separate cross-cutting legal terms (MSA) from project specifics (SOW), signing the MSA once and a new SOW per engagement. Trade-off: dramatically faster repeat-engagement signing, defensible long-term relationship structure, requires upfront discipline. Single-contract agencies fold all legal terms into each SOW. Trade-off: simpler-feeling on engagement one, painful on engagement two when the entire legal stack is renegotiated. Master-and-orders agencies use a Master Agreement with much narrower per-engagement Order Forms (single-page commercial summaries). Trade-off: fastest signing on repeat engagements, requires the Master Agreement to carry more weight than a typical MSA, common in SaaS-style agency relationships and in retainer-heavy practices. MSA-plus-SOW dominates in mid-market consulting and modern software agencies; single-contract survives in commodity work; master-and-orders survives in retainer-style relationships and in agencies serving clients who prefer subscription-shaped legal structures.

Mutual-NDA-default vs. one-way-NDA-default cultures. Mutual-NDA agencies — the professional standard — counter every one-way NDA with a mutual version and treat client refusal as a flag about how the relationship will run. Trade-off: occasionally costs a deal where the client’s procurement team is rigid; protects the agency’s confidential information across thousands of conversations. One-way-NDA agencies sign whatever the client sends. Trade-off: smoothest pre-sales motion, accumulates asymmetric legal exposure over time, signals weakness to procurement teams that test how readily the agency cedes ground. Mutual-NDA-default dominates in mature consulting and software-agency practice; one-way-default survives in agencies whose pre-sales motion has not yet caught up to their delivery sophistication.

DPA-on-every-engagement vs. DPA-on-some-engagements vs. DPA-as-afterthought cultures. DPA-on-every-engagement agencies sign a DPA alongside the MSA on every client engagement that touches any personal data, regardless of volume — the modern default in agencies serving EU/UK clients and in regulated industries. Trade-off: highest upfront legal effort, defensible at audit time, common in agencies serving European or regulated clients. DPA-on-some-engagements agencies sign DPAs only when the client’s privacy team explicitly requires it. Trade-off: lower upfront effort, creates inconsistent legal posture across the agency, common in mid-market agencies serving mixed client bases. DPA-as-afterthought agencies treat the DPA as a procurement-driven afterthought, signed reactively when a regulator or auditor surfaces. Trade-off: the cheapest until it isn’t; produces engagement-time crises and regulatory exposure. DPA-on-every-engagement is the trajectory the regulatory environment is forcing across the industry; DPA-as-afterthought has been visibly punished in 2024–2025 GDPR enforcement actions and is no longer a defensible commercial posture for any agency operating in or serving the EU/UK markets.