Back to blog
ContractsStartup lawCompliance

Supplier contracts: a founder's field guide

B2B contracts have none of the protections consumers get - every clause you sign holds. Here are the risks to handle before you sign.

NOMELIA12 min read
Share

Supplier contracts are the backbone of every operation - raw materials, components, software, data. And unlike consumer contracts, the law here assumes both sides are equal professionals. That means near-total freedom of contract and zero default protection: every clause you sign, however unfavorable, is treated as validly agreed.

Studies show that through vague terms and poor management, businesses lose on average around 9% of the value of their commercial contracts. For an early-stage startup that leak is often fatal. So the contract isn't a formality - it's business infrastructure.

Vet the supplier before you sign

Before the deal, run systematic due diligence across several fronts:

  • Financial stability. The partner's balance sheet and credit rating. A sudden bankruptcy of a key supplier can paralyze your entire chain.
  • Sanctions. Screen against sanctions lists (EU, OFAC, UN, UK). Dealing with a sanctioned entity can freeze your bank accounts and create personal liability for founders.
  • Beneficial ownership (UBO). Who actually controls the company. Sanctioned or politically exposed persons often hide behind chains of offshore shells.
  • Cybersecurity. If the supplier touches your environment, demand evidence (SOC 2, ISO 27001) and audit rights.
  • Litigation history. A pattern of non-performance or IP-theft cases is a red flag.
  • Dependency concentration. Check whether your primary suppliers all rely on the same sub-supplier further down the chain. If it fails, your "diversified" chain fails with it.

Manufacturing in China: NNN, not NDA

For hardware startups, China offers scale but also extreme IP risk. The classic Western non-disclosure agreement (NDA) is practically useless in the Chinese market.

What you need is an NNN agreement (Non-Disclosure, Non-Use, Non-Circumvention), drafted under Chinese law and in the local language:

  • Non-Disclosure - bars sharing your files and design with third parties.
  • Non-Use - the biggest gap in Western NDAs. It bars the factory from using your ideas to build its own products or products for your competitors.
  • Non-Circumvention - bars the factory from selling directly to your customers, cutting you out.

Who owns the tooling

One of the most common disputes is a factory holding your production molds hostage. When a factory offers to develop the molds "for free" or at a steep discount, it legally owns them - and if you switch factories, it won't hand them over.

The contract must state explicitly that the buyer owns 100% of the molds, with photos, ID numbers, and drawings attached. Always pay the full price - the invoice is your strongest proof of ownership in court. And bear in mind: even if you own the mold on paper, physically moving it is expensive, because it's engineered for that specific factory's machines.

Parallel manufacturing and trademark squatting

Without audits, factories often run a "third shift" - producing the same goods with your molds and selling them under their own brand. China also applies a "first-to-file" rule for trademarks: if you don't register your mark in China (including its Chinese transliteration) before sharing files, a factory or third party can register it and then block the export of your own goods at customs.

SaaS, APIs and SLAs: software continuity

For tech startups, third-party software is critical infrastructure. A badly negotiated tech contract can stop your business in a day.

  • Uptime guarantee (SLA). Demand a clear uptime percentage - e.g. 99.9%, which allows a maximum of 8.76 hours of downtime per year.
  • Service credits. When uptime is breached, the contract should automatically provide financial compensation that grows with the length of the outage.
  • API deprecation. When a provider changes its API, your integrations break. Require it to support the old version for at least 12 months and to provide migration documentation.
  • The hidden subcontractor chain. SaaS providers usually sit on top of AWS, Azure or Google Cloud. Demand full disclosure, and make liability clauses cover damage caused by those subcontractors too.

Source-code escrow

If third-party software sits at the core of your product, you need a tripartite source-code escrow agreement with a trusted agent. The provider deposits the code and configurations in a vault; they're released to you on strictly defined events - insolvency, end of support, or systemic refusal to fix critical bugs. Require at least a compile test, and ideally a usability test where the agent actually runs the software in a test environment.

GDPR: the Data Processing Agreement (DPA)

If a supplier has access to your users' personal data, a Data Processing Agreement (DPA) is mandatory under Article 28 of the GDPR.

  • Roles. Your startup is the controller (you set the purposes); the supplier is the processor (acting only on your written instructions).
  • Subprocessors. The supplier may not engage a subprocessor without your written permission and must notify you of changes at least 30 days ahead, with a right to object and terminate without penalty.
  • International transfer. If the supplier is outside the EU/EEA and processes EU residents' data, incorporate the Standard Contractual Clauses (SCCs). Without them the transfer is unlawful.
  • Breach timing. The GDPR gives you 72 hours to notify the regulator. So require the supplier to notify you of a breach in their system immediately - within 24-48 hours - so you have time to react.

The financial traps

VAT on digital services from abroad

When you buy SaaS licenses, hosting or advertising (Google, Meta) from foreign companies, the reverse-charge VAT mechanism applies. If you don't have standard VAT registration, you're required to register under Article 97a - and to do so at least 7 days before payment. This registration grants no input VAT credit, meaning the 20% VAT on the foreign invoice becomes a direct cost that erodes your margin.

Currency risk and hidden costs

If you pay in dollars but earn in euros or leva, exchange swings can raise your production cost 10-15% over months. Negotiate a fixed rate or hedge. When importing physical goods, budget in advance for duties, import VAT, port fees and container demurrage.

The new European regulations

Product Liability Directive (2024/2853)

Software and AI models are now classified as "products" with strict (no-fault) liability for damage. Compensation is owed not only for physical harm but also for medically recognized psychological harm and for the destruction of personal data. If you embed components from a supplier outside the EU, you are the "importer" and bear full joint liability toward European consumers - they sue you, and you pursue the foreign supplier afterward.

Data Act (Regulation 2023/2854)

Applicable from September 2025, the Act aims to end "lock-in" with cloud providers:

  • Providers must make it easy for you to migrate to another provider or your own infrastructure.
  • You can terminate a SaaS contract for a switch with at most 2 months' notice, regardless of the original term.
  • Data-egress fees are banned outright from January 2027.

This bears directly on financial models: long-term commitments are no longer as "locked in" as they look.

Force majeure: what is NOT an act of god

Suppliers often try to slip into the force-majeure definition things that are pure operational risk:

  • disruptions in global supply chains;
  • shortages of raw materials or semiconductors;
  • economic hardship, inflation or labor shortages.

If you allow these, the supplier can delay your orders for months with no liability. Separately, spell out what happens under new sanctions or export controls - each side should be able to terminate without penalty if performance would break the law.

What investors look at

In a round or an acquisition, legal counsel will cut your valuation or kill the deal over:

  • Concentration risk - total dependence on a single supplier with no alternative.
  • Unclean tech ownership - no written IP-assignment agreements from freelancers or founders to the company.
  • Anti-assignment (change of control) - clauses that let a supplier block the sale of your startup.

Red flags before you sign

  • A unilateral right for the supplier to change prices at any time.
  • Excluded liability for IP infringement.
  • Auto-renewal with a long notice window (over 60-90 days).
  • No right to audit the SaaS provider.
  • Governing law and jurisdiction in an expensive foreign forum.

Founder's checklist

  • IP: a clear clause that newly created IP becomes 100% yours on payment?
  • Incoterms: is it clear when risk transfers and who pays shipping for physical goods? (Avoid EXW.)
  • DPA: a signed agreement with control over subprocessors and a short breach window?
  • Tax: are you registered under Article 97a before paying foreign cloud providers?
  • Escrow: if third-party software is your core - do you have a tested escrow agreement?

Supplier contracts aren't documents for the archive. They set the limits of your growth. Moving from a reactive to a proactive stance in negotiation is the difference between a startup that scales and one that loses 9% along the way.

Related articles