14. IT contracts, licenses, and vendor lock-in risks

The buyer’s model assumed $11M in first-year IT savings. Vendor overlap looked obvious: two CRM platforms, three analytics tools, duplicate endpoint security, and a finance stack that could be folded into the buyer’s standard environment.

Then the contract review changed the math.

The target’s CRM agreement had a 36-month renewal that triggered two weeks before close. The analytics vendor charged for data export above a narrow monthly cap. The endpoint tool had a change-of-control consent right. The finance system could not be assigned to the buyer without a new enterprise agreement. The “duplicate” tools were not all removable. Some were locked, some were about to renew, and some could only be exited after the business paid for migration support it had not budgeted.

None of these findings made the deal impossible. They did something more common: they turned clean synergy into delayed synergy, added one-time cash, and gave vendors control over the deal clock.

The primary decision is this:

Do IT contracts and licenses support the deal plan, or do they create hidden run-rate, true-up, change-of-control, data extraction, or exit constraints that should change price, terms, timing, or the Day-100 plan?

Why contract diligence is not legal cleanup

Technology contract review often gets split across legal, procurement, and IT. Each team sees part of the problem. Legal checks assignability and change-of-control. Procurement checks price and renewal dates. IT checks whether the tool is still used.

The deal team needs the combined answer: what does the contract let us do, by when, at what cost, and with whose consent?

That answer changes four deal levers:

• Run-rate: license true-ups, lost parent discounts, usage-based pricing, and forced enterprise tiers can reset IT cost after close
• One-time cash: exit fees, migration services, data extraction charges, implementation support, and dual-running can sit outside the model
• Clock: vendor consent, renewal windows, data access, and notice periods can slow TSA exit, integration, or application rationalization
• Control: restrictive terms can block the buyer from changing architecture, moving data, adding users, or folding the target into existing platforms

The contract file is not paperwork. It is part of the operating model.

The common mistake: reviewing spend, not constraints

Most diligence teams ask for the top vendor spend list. That is useful, but it misses the terms that move value.

A $4M ERP contract with clean assignment, flexible entities, known pricing, and usable extraction rights may be manageable. A $700K workflow tool embedded in customer onboarding, with non-transferable licenses and vendor-controlled data export, may set the separation clock.

Spend rank is not the same as deal risk. The right starting point is a contract-to-workflow view:

1. Which vendors support revenue, cash, reporting, payroll, cyber controls, or customer access?
2. Which contracts are shared with the parent, held by the wrong legal entity, or dependent on parent-negotiated pricing?
3. Which terms prevent the buyer from executing the target-state plan inside the first 12-18 months?

If the team cannot answer those questions, the model is treating vendor terms as if they are flexible. Many are not.

Five contract risks that change deal economics

1) Change-of-control and assignment terms that create consent risk

The clean question is whether the contract moves with the business. The better question is whether it moves in the form the buyer needs.

What to check:

• change-of-control consent requirements
• assignment rights by asset deal, share deal, carve-out, and internal reorganization
• entity and affiliate language
• vendor right to reprice, terminate, or renegotiate on transfer
• timelines for consent and whether silence counts as approval

What goes wrong:

The target assumes the contract continues because the tool has been used for years. The vendor sees a deal event and reopens the commercial terms. Consent becomes a negotiation. The buyer either pays a new rate, accepts a narrower license, or keeps the target on seller-provided access longer than planned.

The cost is not just the vendor fee. It is the TSA extension, delayed platform consolidation, and management time spent negotiating after close from a weaker position than the buyer had before signing.

2) License metrics that do not match the future operating model

License terms often look harmless until the buyer adds users, entities, revenue, devices, data volume, or cloud consumption.

What to check:

• named user, employee, contractor, device, revenue, transaction, or capacity metrics
• affiliate and third-party access rights
• indirect access rules for ERP and data platforms
• audit rights and lookback periods
• price bands that trigger when the target joins the buyer’s environment

What goes wrong:

The buyer integrates identity, gives shared-service teams access, connects the ERP to new reporting tools, and expands procurement or finance workflows. The vendor audits. A license design built for a standalone company no longer fits. The buyer gets a true-up demand just as the integration team is trying to retire duplicate systems.

This is common in ERP, CRM, workforce management, engineering software, data platforms, security tooling, and industry-specific applications where usage definitions are narrow and audit rights are strong.

3) Renewal and notice windows that trap savings

Vendor rationalization plans often assume contracts can be stopped when the buyer is ready. Contracts often say otherwise.

What to check:

• renewal date, auto-renewal terms, and notice period
• minimum term, committed spend, and termination for convenience
• ramp schedules, step-up pricing, and minimum user counts
• support renewal dates separate from license terms
• penalties for reducing seats, modules, or consumption

What goes wrong:

The target misses a 90-day notice window during exclusivity or between signing and close. A tool renews for another year before the buyer can migrate users. The synergy plan removes the vendor in month six, but cash leaves the business through month eighteen.

This is how “run-rate savings” become accounting fiction. The application can be decommissioned, but the contract still runs.

4) Data extraction and exit terms that slow separation

In many carve-outs and SaaS-heavy businesses, the issue is not whether the system works. It is whether the buyer can get the data out on time, in a usable form, with enough history and audit trail to run the business.

What to check:

• export rights, formats, frequency, and volume caps
• API throttling and paid extraction services
• data ownership and post-termination access
• retention, deletion, and archive terms
• vendor obligations during migration and exit

What goes wrong:

The buyer discovers that full historical export requires a paid services engagement, a multi-month queue, or a format the new system cannot use without heavy transformation. The TSA clock keeps running because finance, customer service, or compliance cannot move without the history.

Data terms are often buried in schedules, product terms, support policies, and online terms that were never stored in the data room. If they are not requested early, they show up when the project team asks for an export date.

5) Parent or group contracts that hide lost discounts and stranded scope

Carve-outs create a specific trap: the business may be using technology bought under parent-wide agreements. The price, service level, user rights, and security controls may depend on a scale the target will not have after close.

What to check:

• contracts held by parent entities or shared-service companies
• parent discounts, enterprise credits, and bundled support
• carve-out rights for a divested business
• stranded licenses the seller expects the buyer to absorb
• whether the vendor will honor existing rates for a standalone target

What goes wrong:

The target’s allocated IT cost looks attractive because it benefits from parent scale. After close, the same vendor sells the buyer a smaller, less discounted, standalone agreement. The run-rate rises even if usage stays flat. In parallel, the seller may ask the buyer to pay for stranded licenses it can no longer use elsewhere.

The allocation was not wrong. It just was not the buyer’s future cost.

Evidence asks that produce signal fast

Do not start with every IT contract. Start with the contracts that can change the deal plan.

1) Top vendor spend tied to workflows

Ask for the top 30-50 IT vendors with annual spend, renewal dates, contract owner, business owner, supported workflows, and legal entity. Add one column: “needed for Day 1, Day 100, or TSA exit.”

Why it matters:

This converts a spend list into a deal dependency map. A low-spend vendor tied to payroll, customer access, revenue recognition, identity, or plant operations may deserve more attention than a larger but replaceable tool.

2) Contract terms for the critical vendor set

For vendors tied to core workflows, ask for executed agreements, order forms, product terms, online terms referenced by URL, amendments, support terms, data processing addenda, and renewal notices.

Why it matters:

Order forms often contain the price and term. Product terms often contain the restrictions. You need both.

3) License position and usage evidence

Ask for purchased licenses, active users, peak usage, entity coverage, indirect access exposure, contractor access, device counts, capacity metrics, and the last vendor audit or true-up.

Why it matters:

Management’s answer that “we have enough seats” is not enough. The question is whether the license position covers the future operating model, not just today’s org chart.

4) Renewal calendar for the next 24 months

Ask for auto-renewals, notice deadlines, committed spend, termination rights, and price increases for the next eight quarters.

Why it matters:

The renewal calendar is the synergy clock. If notice windows are missed before close, the buyer may inherit avoidable cost with no practical exit.

5) Exit and data portability evidence

Ask for export terms, sample data extracts, API limits, paid migration schedules, post-termination access rights, and vendor support obligations during exit.

Why it matters:

This shows whether the buyer can leave a system when the workplan says it will leave, or whether the vendor controls the route out.

Decision triggers that should change price, terms, or timing

Contract findings become useful when they force a decision. These triggers are a practical starting point.

Trigger 1: A Day-1 or TSA-exit system requires vendor consent with no defined approval clock

If a core ERP, payroll, identity, finance, manufacturing, CRM, or data platform cannot be assigned or continued without vendor consent, and the contract does not require a response inside 30 days, treat consent as a closing or TSA risk.

What it changes:

• make consent a signing-to-close workstream with legal and procurement owners
• add a fallback service path under the TSA
• avoid committing to a TSA exit date that depends on an uncommitted vendor

Trigger 2: More than 15-20% of first-year IT savings depends on contracts with missed or near-term notice windows

If a meaningful share of savings depends on vendor exits with notice windows inside the next 90-120 days, the diligence team should not count those savings until notices are confirmed.

What it changes:

• move savings from year one to year two unless notice can be served pre-close
• negotiate seller support for notices during the interim period
• create a cash bridge for dual-running and trapped renewals

Trigger 3: License metrics reset when the buyer adds shared-service, contractor, or affiliate users

If integration requires the buyer’s finance, HR, IT, procurement, or cyber teams to access the target’s systems, test the license impact before Day 1. If those users are not covered, the buyer may create an audit issue by operating the business as planned.

What it changes:

• budget a true-up or short-term bridge license
• limit access patterns until license coverage is resolved
• renegotiate affiliate and contractor rights before the vendor has the stronger post-close position

Trigger 4: Data exit depends on vendor professional services with a queue longer than the TSA buffer

If a critical system requires vendor-run extraction or migration support, and the vendor cannot commit to a date that fits the TSA exit plan, the system sets the clock.

What it changes:

• book the vendor slot before close where possible
• extend the relevant TSA service or narrow the migration scope
• fund data transformation and validation as mandatory one-time cash

Trigger 5: Parent-scale economics account for more than 10% of target IT run-rate

If the target’s cost base relies on parent enterprise discounts, shared support tiers, credits, or bundled contracts worth more than roughly 10% of IT run-rate, do not use allocated cost as steady-state cost.

What it changes:

• build a standalone vendor run-rate bridge
• negotiate temporary access to parent terms where possible
• reflect lost discounts in the base case, not as downside sensitivity

What best teams do before signing

Strong teams treat contract and license diligence as a joint workstream across IT, legal, procurement, finance, and the integration or separation lead. They do not wait for a legal issues list at the end.

1) Build a vendor constraint register

For the critical vendor set, the register should capture:

• supported workflow and deal dependency
• renewal and notice dates
• assignment and change-of-control position
• license metric and current usage
• data extraction and exit terms
• expected post-close run-rate
• required action before signing, before close, or in Day 100

The point is not administrative control. It is to show which vendor terms can block the plan.

2) Create a contract-to-synergy bridge

For every IT savings line above a material threshold, tie the saving to the contract action required to capture it.

Examples:

• retire duplicate CRM: notice by May 31, export customer history by July 15, migrate 420 users, pay six months of dual-running
• consolidate endpoint security: confirm assignment, true-up 1,100 devices, terminate legacy support after rollout
• exit parent analytics platform: secure data export rights, archive seven years of reporting history, retain read-only access through audit cycle

This exposes the difference between gross savings and cash-realizable savings.

3) Negotiate before the vendor has the advantage

Vendors know when a deal creates urgency. Waiting until after close often means the buyer needs the vendor more than the vendor needs the buyer.

Best teams identify the five to ten vendors most likely to affect Day 1, TSA exit, or first-year savings and decide where to negotiate before signing or between signing and close. The asks are usually simple:

• written consent or waiver
• short-term bridge rights
• confirmed pricing for the standalone entity
• expanded affiliate and contractor access
• data extraction support with dates and fees
• termination or ramp-down flexibility

This is procurement work, but it is deal execution first.

Where teams get trapped after close

Three patterns show up repeatedly.

The vendor list was complete, but the product terms were missing. The executed order form looked fine. The online product terms limited export rights, affiliate access, or integration methods. The project team found the restriction when the vendor refused a request.

The synergy plan assumed technical readiness, not commercial readiness. IT could migrate users in six months. The contract could not be exited for twelve. Finance booked savings on the IT timeline, not the contract timeline.

The buyer treated true-ups as procurement noise. A license audit or enterprise reset is not noise if it lands during the first year. It can consume the same dollars the business case expected from application rationalization.

These are avoidable. They require the contract review to answer operating questions, not just legal ones.

Monday-morning actions

In the next 10 business days, assign one owner across IT, legal, procurement, and finance to produce a vendor constraint register for the top 30-50 IT vendors and any low-spend vendor tied to revenue, payroll, finance, identity, cyber, customer access, or TSA exit.

Then make five calls:

1. Which vendors need consent before close? Do not let open consent sit inside a general legal tracker.
2. Which renewal notices must be served in the next 120 days? If the seller controls the contract before close, make interim-period support explicit.
3. Which license metrics break under the buyer’s Day-1 operating model? Price the bridge before access is needed.
4. Which systems cannot be exited without vendor-run data extraction? Book the slot or reset the TSA plan.
5. Which savings lines are contract-realizable in year one? Move the rest out of the base case.

The output should be a simple decision: proceed with the current plan, change the plan, or change the economics. If contracts and licenses do not support the deal plan, the buyer should know that before signing, not after the first vendor notice arrives.