A set of documents designed to be procurement-ready and drafted to work together: Terms of Service, Privacy Policy, a DPA with EU Standard Contractual Clauses, MSA/SOW, and an AI Use Addendum, plus a launch-risk review of the clauses enterprise buyers scrutinize most. Built and reviewed by me, a California attorney, not assembled from a template wizard.
Tap a question for an instant, free answer (no email needed), or describe your product and the analyst helps you figure out which documents you need and routes a clean summary to me.
Common questions, always free
An enterprise prospect sends back a redlined MSA, asks for a signed DPA, and wants answers on AI and data handling. Generic template terms do not survive that review.
Your Terms cap liability one way, your Privacy Policy describes uses your DPA does not allow, and AI is addressed nowhere. Misaligned documents create the exact gaps a counterparty exploits.
Who owns the prompts and outputs, and can customer data train your or your vendors' models? By 2026 procurement asks in writing, and silence in your documents is a risk, not a default in your favor.
Start with a focused review, build the full stack, or layer in enterprise procurement language. Pick by where you are, not by guesswork. Anything at $1,500 and above is scoped through intake before any payment.
One document drafted or redlined, or a focused gap audit of the terms you already have.
$575 Create or Redline tier. Overflow on unusually long or complex work at $240/hour, agreed before any extra work.
The full coordinated document set drafted to your product, with a launch-risk review.
Scoped and confirmed at intake, then engaged. I send the correct payment link after I confirm scope; this tier is not instant checkout.
Layered onto the stack when you are selling into security-reviewed, regulated, or large-enterprise buyers.
For deals that need negotiated terms and security-review support. Quoted as a flat phase or hourly after a short scoping exchange.
| What you get | $575 review / audit | $2,500 full stack | Enterprise upgrade |
|---|---|---|---|
| One document drafted or redlined | ✓ | ✓ | ✓ |
| Coordinated multi-document set | – | ✓ | ✓ |
| DPA with EU SCCs + UK addendum | Add-on | ✓ | ✓ |
| AI Use Addendum | Add-on | ✓ | ✓ |
| Launch-risk clause review | Single doc | ✓ | ✓ |
| Negotiated MSA with fallback positions | – | – | ✓ |
| Security questionnaire support | – | – | ✓ |
| Revision rounds | 3 email rounds | Scoped | Scoped |
| How you engage | Pay & send | Intake first | Quote first |
"Add-on" means I can build that single document under the $575 tier; the coordinated stack with aligned defined terms across documents is the $2,500 package. Where a matter needs ongoing negotiation through to a signed agreement, that is a separate Pre-Litigation or negotiation phase quoted on its own.
Tap a tab to see what the document is for and the practical decisions it locks down. These are the building blocks of the stack; not every product needs all of them, and I will tell you which ones yours does.
The contract every self-serve user agrees to at signup. It sets the rules for products sold without a negotiated agreement.
Top 3 issues I lock down:
Also covered: the license grant and acceptable scope of use, and the governing-law, venue, and dispute-resolution clauses.
Why it matters: for most SaaS, the Terms of Service is the liability shield. An unenforceable clause, a missing limitation of liability, or an auto-renewal that violates state law can each undo the protection you thought you had. I draft it to hold up, not just to look complete.
A public disclosure of what data you collect, why, who you share it with, and the rights users have. Usually needed when you collect personal information.
Top 3 issues I lock down:
The exact disclosures depend on which privacy laws apply, your data categories, your customer locations, and whether you sell, share, process, or transfer personal information. Also covered: GDPR Article 13/14 disclosures where relevant, plus retention, security, and the contact channel for data requests.
Why it matters: the Privacy Policy has to match what your product actually does and what your DPA promises. A policy copied from another company describes data practices that are not yours, which is worse than having none. I align it to your real data flows.
The contract that governs how you handle personal data on behalf of a business customer. Enterprise buyers will not sign without one.
Top 3 issues I lock down:
Also covered: the sub-processor list and change-notice mechanics, plus security measures, breach-notice obligations, and audit terms.
Why it matters: the DPA is where your role as processor is defined. Getting the controller/processor characterization wrong, or attaching outdated transfer clauses, is a direct compliance gap. I build it on the current SCCs, not a pre-2021 version.
The negotiated contract for larger or custom deals, with a Statement of Work template for scoping specific engagements.
Top 3 issues I lock down:
Also covered: fees, true-ups, and renewal terms, plus an SOW template for scope, milestones, and acceptance.
Why it matters: enterprise buyers redline MSAs hard. Knowing which positions to hold and which to trade, and having fallback language ready, is the difference between a clean signature and weeks of back-and-forth. The enterprise upgrade exists for exactly this.
The clauses that address how your product uses AI: ownership of inputs and outputs, training restrictions, and the disclosures procurement now demands.
Top 3 issues I lock down:
Also covered: accuracy, human-review, and no-reliance language, plus an opt-out for customers who want their data kept out of AI features.
Why it matters: this is the bridge issue for AI products. If your documents do not say who owns outputs and whether data trains models, you inherit ambiguity that favors no one. See the AI & data ownership section below for the per-asset defaults.
The rules for what users may not do with your product, and the basis on which you can suspend or terminate abusive accounts.
Top 3 issues I lock down:
Also covered: AI-specific misuse where the product ships AI, plus reporting and notice mechanics.
Why it matters: without a clear AUP, suspending a bad actor becomes a contract dispute. A tight AUP, referenced from your Terms, gives you a clean right to act and reduces the argument that you breached by cutting someone off.
The billing rules that govern refunds, cancellation, and auto-renewal, written to comply with the state laws that increasingly regulate subscriptions.
Top 3 issues I lock down:
Also covered: chargeback and payment-processor alignment, plus trial-to-paid conversion disclosures.
Why it matters: auto-renewal and "click to cancel" rules are actively enforced and vary by state. Sloppy renewal terms create both regulatory exposure and payment-processor risk. I write these to the current rules, not a generic boilerplate.
These are the recurring problems I find in SaaS and AI documents during a gap audit. Each gauge reflects how often the clause is wrong or missing in the products I review, and how much it tends to cost when it goes wrong.
Documents that never say who owns prompts and AI outputs, so customers and your model vendor can each claim rights you assumed were yours.
I state ownership of inputs and outputs explicitly and reconcile it with your upstream model provider's terms.
Either no license to host and process user content at all, or a license so broad it reads as a rights grab and scares enterprise buyers.
I draft a license broad enough to run the product and narrow enough to pass procurement review.
A missing cap, an unenforceable cap, or carve-outs that swallow the cap: this clause decides your worst-case number in a dispute.
I set an enforceable cap with carve-outs sized to the deal, not copied from an unrelated template.
The DPA mischaracterizes your role, or there is no DPA at all, which misstates your obligations and breaks the transfer mechanics.
I define the correct role per data flow and attach the current 2021 EU SCCs and UK addendum.
Renewal and cancellation terms that ignore state auto-renewal statutes and "click to cancel" rules, and a magnet for chargebacks.
I align renewal notice, consent, and cancellation mechanics with current subscription law.
One-sided or uncapped indemnities, or IP indemnities that ignore the AI-training and third-party-data risk specific to your product.
I balance the indemnity, cap it where appropriate, and address AI and data-source exposure.
Self-serve Terms pushed into enterprise deals with no MSA, SLA, or security exhibit, so every large deal becomes a custom negotiation.
I build a negotiation-ready MSA with fallback positions in the enterprise upgrade.
Terms that conflict with Stripe or PayPal rules, or weak refund language that drives disputes and contributes to account freezes.
I align your billing terms with processor rules to reduce dispute and freeze exposure.
In a gap audit I read your existing documents against the way your product actually works, then rank each issue by two factors: how likely it is to be triggered in a real dispute or procurement review, and how large the downside is if it is. The gauges above are a generalized version of that scoring across the products I see, not a score of your specific documents.
A "High" item is one that is both common and expensive when wrong, like a missing or unenforceable liability cap. A "Medium" item is one that is either less frequent or more contained, like a one-sided indemnity that is recoverable in negotiation. Your audit gets a ranked, document-specific list, so you fix the clauses that move your risk the most first.
This page is informational and the gauges are illustrative. The only way to know your real exposure is to have your actual documents reviewed.
If your product touches AI, this is the question that decides your IP position and your enterprise deals. The honest answer is that it depends on what your documents say, and most documents say nothing. Here is how a well-drafted stack resolves each piece.
Stack default: user keeps ownership; you take a license to process and improve, scoped by the AI Addendum.
Stack default: outputs assigned or licensed to the user, reconciled with your upstream model provider's terms.
Stack default: training off by default for business customers, with a clear opt-in and vendor flow-downs disclosed.
Prompts & inputs: what a user types into your product.
AI outputs: what the model generates; copyrightability is unsettled.
Model-improvement data: the most scrutinized line in any AI procurement review.
Files, text, and assets users upload. You need a license broad enough to run the product without it reading as a rights grab.
Stack default: limited license to host, process, and display; ownership stays with the user.
Personal data you handle on behalf of a business customer. Governed by the DPA, not just the Terms.
Stack default: customer is controller, you are processor, EU SCCs and UK addendum attached.
Analytics and usage data stripped of identifiers. Often the legitimate basis for product improvement, if defined correctly.
Stack default: you may use properly de-identified, aggregated data, defined precisely to avoid re-identification risk.
Copyrightability of AI output is unsettled, so I allocate rights deliberately rather than leave them to default. I walk through the analysis in my post on who owns Claude's outputs and how they can be used.
Contract ownership and copyrightability are not the same thing. A contract can allocate rights, licenses, confidentiality, and use restrictions for prompts, outputs, customer content, and model improvements. But U.S. copyright protection still depends on human authorship and the extent of protectable human creative contribution. I draft the AI Addendum to allocate commercial rights even where copyright ownership may be uncertain.
"Stack default" describes the starting position I draft from. The right answer for your product depends on your model vendor, your customers, and your business model, which is what the AI Addendum and intake confirm.
I would rather tell you this is not the right package than draft documents that paper over a problem that needs a specialist. Here is the honest line.
AI, subscription, and B2B SaaS products, online platforms, and founders responding to a redlined MSA or DPA request.
If you are here, the $575 gap audit or the $2,500 full stack is usually the right starting point.
Securities or tokens, regulated finance, HIPAA-heavy health data, and active litigation all need a specialist instead.
If your matter is on this list, I will say so at intake and point you toward the right specialist rather than take the engagement.
The more of this you can send up front, the faster and more accurate the scope. Do not worry if some pieces are missing; the intake walks through them.
Product URL and description tell me what the documents have to describe accurately. A Privacy Policy that does not match the product is a liability, so I start from how the product really works.
Customer type decides the architecture. Self-serve consumer products lead with Terms of Service; B2B and enterprise products need an MSA, a DPA, and often an SLA. Getting this wrong is the most common reason a stack fails procurement.
Data collected and AI features drive the Privacy Policy, the DPA, and the AI Addendum together. The training-data question in particular changes how I draft both the AI Addendum and the user-content license.
Payment model and jurisdictions control the refund/cancellation terms, the auto-renewal mechanics, the governing-law clause, and whether the EU SCCs and UK addendum are needed. They also flag payment-processor risk early.
If you cannot share a document directly (for example it sits behind a login or a shared drive I cannot open), tell me and I will arrange another way to receive it rather than guess at its contents.
Turnaround depends on scope and is confirmed at intake. Rush handling may be available for an added fee on smaller scopes; ask before paying.
Send your product URL and current documents and I will confirm exactly which documents you need and what it costs, before any work begins.
The $240 Written Attorney Consultation is the lowest-friction way to get an attorney read before committing to the full stack. The $2,500 stack and any enterprise work are scoped through intake first.
A legal stack is the set of documents your product needs to operate and sell: Terms of Service or an MSA, a Privacy Policy, a DPA, an Acceptable Use Policy, an AI Use Addendum where relevant, an SOW template, and refund/cancellation terms.
I draft them together so the defined terms, liability caps, and data roles are consistent across every document. The most common problem I find is documents that were each fine in isolation but contradict each other, which is exactly the gap a counterparty or regulator exploits.
The $575 tier is one document drafted or redlined, or a focused gap audit of your existing terms, with up to three rounds of email revisions. Use it when you have a single document to fix or one redlined MSA to respond to.
The $2,500 tier is the full coordinated stack drafted to your product, plus a launch-risk review. Use it when you are launching, raising, or moving up-market and need the whole set to be consistent and procurement-ready. The full stack is scoped at intake before you pay.
It depends on what the documents say, which is the point. A well-drafted AI Use Addendum states clearly who owns prompts and outputs, whether customer data may train your or your vendors' models, and what happens to that data on termination, then reconciles all of that with your upstream model provider's terms.
The AI & Legal Automation hub walks through the ownership analysis for AI outputs and covers the broader picture for AI products.
The DPA can include the 2021 EU Standard Contractual Clauses and, where needed, the UK International Data Transfer Addendum. Those clauses address cross-border transfer mechanics, but they do not by themselves solve every GDPR, UK GDPR, product-design, data-minimization, security, or transfer-risk issue. I confirm the actual data flows and customer base before treating the DPA as sufficient.
The MSA and Terms default to California law, and the governing-law and venue clauses are straightforward to adapt. For a product built primarily for the EU or UK market, an additional jurisdictional review may be appropriate and is quoted separately.
No. Securities or token offerings, HIPAA-heavy health-data products, and regulated financial products like money transmission or lending need specialist review beyond a standard SaaS stack, and they are out of scope for this package.
If your product is in one of those areas I will tell you at intake and point you toward the right specialist, rather than draft documents that look complete but miss a regulatory problem.
Directly with me. I am Sergei Tokmakov, a California attorney, Bar #279869, licensed since 2011. There is no intake team and no associate handoff. The AI Legal Analyst on this site is an attorney-supervised tool that helps you get oriented; the legal work and judgment are mine.
The $575 gap audit and the $240 written gap review are flat fees you can pay directly to start. The $2,500 full stack and any enterprise or procurement upgrade are scoped through intake first; once I confirm scope, I send the correct payment link. I do not run instant checkout on the larger engagements because the scope needs to be confirmed before you commit.
Describe your product to the AI Legal Analyst and it will help you figure out which parts of the stack apply, what the high-risk clauses are for your model, and whether the $575 audit or the full stack is the right starting point. It is attorney-supervised and informational, not legal advice, and it routes a clean summary to me when you are ready.
Send your product URL and current documents. I confirm scope and price before any work begins, and you work directly with me throughout.
Primary: start intake for the full stack or enterprise upgrade. Fallback: a $240 written attorney gap review for a smaller first step. The $575 single-document audit is also available above.