Highest Risk Patterns

Top 10 Contract Red Flags

These are the most dangerous clauses we identify in contracts. If you see any of these, proceed with extreme caution.

Our full library includes 152+ patterns across healthcare, finance, government, and general contracts.

1

No Liability Cap

Liability
critical

No limit on your liability for damages, exposing you to unlimited risk

View details & alternatives

⚠️ Why this is dangerous

Without a liability cap, you could be held responsible for damages far exceeding your project fee. This is a major financial risk.

✅ What to do

Add a liability cap, typically equal to fees paid or a multiple thereof.

📝 Better language to use

"Contractor's total liability shall not exceed the total fees paid under this Agreement."

🔍 Watch for phrases like

"Contractor accepts full liability" "No limitation on damages"
2

Broad Indemnification

Liability
critical

You must indemnify the client for broad range of claims, including their own negligence

View details & alternatives

⚠️ Why this is dangerous

This broad indemnification clause makes you responsible for legal claims against the client, potentially including their own mistakes or negligence.

✅ What to do

Limit indemnification to claims arising from your actual work and exclude client negligence.

📝 Better language to use

"Contractor shall indemnify Client for third-party claims arising directly from Contractor's proven negligence or willful misconduct."

🔍 Watch for phrases like

"Indemnify against any and all claims" "Hold harmless from all liabilities"
3

HIPAA Business Associate Agreement Required

Healthcare Compliance
critical

Contract involves handling Protected Health Information (PHI) without proper BAA

View details & alternatives

⚠️ Why this is dangerous

Any access to Protected Health Information (PHI) requires a Business Associate Agreement (BAA) under HIPAA. Without one, you face severe penalties up to $1.5M per violation category.

✅ What to do

Require a signed BAA before any PHI access. Ensure it specifies permitted uses and security requirements.

📝 Better language to use

"Prior to any access to PHI, parties shall execute a HIPAA-compliant Business Associate Agreement specifying permitted uses, safeguards, and breach notification procedures."

🔍 Watch for phrases like

"May access patient records" "Will handle medical information" "Process health data"
4

Inadequate PHI Security Requirements

Healthcare Compliance
critical

Contract lacks specific PHI security and encryption requirements

View details & alternatives

⚠️ Why this is dangerous

HIPAA requires specific technical safeguards including encryption, access controls, and audit logging. 'Reasonable security' is too vague for PHI.

✅ What to do

Specify HIPAA-required safeguards: encryption at rest and in transit, access controls, audit logs, and incident response procedures.

📝 Better language to use

"Contractor shall implement HIPAA-required safeguards including: AES-256 encryption for data at rest and TLS 1.2+ in transit, role-based access controls, audit logging, and breach notification within 24 hours."

🔍 Watch for phrases like

"Keep data secure" "Maintain appropriate security measures"
5

No HIPAA Breach Notification

Healthcare Compliance
critical

Contract lacks required breach notification timelines for PHI

View details & alternatives

⚠️ Why this is dangerous

HIPAA requires business associates to notify covered entities of PHI breaches within 60 days. Without specific timelines, you risk non-compliance.

✅ What to do

Add specific breach notification requirements: discovery timeline, notification within 24-72 hours, and details required.

📝 Better language to use

"Contractor shall notify Client within 24 hours of discovering any breach of PHI, including: nature of breach, PHI involved, remediation steps, and affected individuals count."

🔍 Watch for phrases like

"Report breaches promptly" "Notify of security issues"
6

42 CFR Part 2 Substance Abuse Records

Healthcare Compliance
critical

Contract involves substance abuse treatment records requiring additional protections beyond HIPAA

View details & alternatives

⚠️ Why this is dangerous

Substance use disorder records have stricter protections than HIPAA under 42 CFR Part 2. Violations can result in criminal penalties.

✅ What to do

Add specific 42 CFR Part 2 compliance terms including consent requirements and re-disclosure prohibitions.

📝 Better language to use

"For substance use disorder records, Contractor shall comply with 42 CFR Part 2, including obtaining proper patient consent and prohibition on re-disclosure without specific authorization."

🔍 Watch for phrases like

"Drug treatment records" "Addiction recovery data" "SUD treatment information"
7

SOX Compliance Requirements

Financial Compliance
critical

Contract lacks Sarbanes-Oxley compliance requirements for public company work

View details & alternatives

⚠️ Why this is dangerous

Work affecting financial reporting for public companies must comply with SOX. Generic 'applicable laws' language may not be sufficient for audit purposes.

✅ What to do

Explicitly reference SOX compliance requirements, including Section 404 internal controls if applicable.

📝 Better language to use

"Contractor shall comply with Sarbanes-Oxley Act requirements, including maintaining documentation sufficient for Section 404 audits and cooperating with internal control testing."

🔍 Watch for phrases like

"Follow all regulations" "Comply with applicable laws"
8

PCI-DSS Compliance Missing

Financial Compliance
critical

Contract involves payment card data without PCI-DSS compliance terms

View details & alternatives

⚠️ Why this is dangerous

Any handling of payment card data requires PCI-DSS compliance. Non-compliance can result in fines up to $100,000 per month and liability for fraud.

✅ What to do

Add PCI-DSS compliance requirements including annual assessment and specific security controls.

📝 Better language to use

"Contractor shall maintain PCI-DSS Level 1 compliance, provide annual Attestation of Compliance (AOC), and immediately notify Client of any PCI audit findings or cardholder data breaches."

🔍 Watch for phrases like

"Handle credit card payments" "Store payment information" "Process card transactions"
9

No SEC/FINRA Compliance

Financial Compliance
critical

Contract for securities-related work lacks regulatory compliance terms

View details & alternatives

⚠️ Why this is dangerous

Securities-related work is heavily regulated by SEC and FINRA. Without explicit compliance terms, both parties face regulatory risk.

✅ What to do

Add SEC/FINRA compliance requirements, including registration verification and books and records retention.

📝 Better language to use

"Contractor represents proper SEC/FINRA registration for services provided, shall maintain required books and records, and will cooperate with regulatory examinations."

🔍 Watch for phrases like

"Trading services" "Investment advice" "Securities processing"
10

Missing Bank Secrecy Act Terms

Financial Compliance
critical

Contract lacks Bank Secrecy Act/AML compliance requirements

View details & alternatives

⚠️ Why this is dangerous

Financial transaction processing requires BSA/AML compliance including suspicious activity reporting. Non-compliance can result in criminal liability.

✅ What to do

Add BSA/AML compliance terms including SAR filing obligations and KYC requirements.

📝 Better language to use

"Contractor shall maintain BSA/AML compliance program including: customer due diligence, transaction monitoring, suspicious activity reporting to FinCEN, and recordkeeping per 31 CFR 1010."

🔍 Watch for phrases like

"Process payments" "Handle transactions" "Transfer funds"

Scan Your Contract Against All 152 Patterns

Upload a contract and our AI will automatically scan for these top 10 red flags plus 142 more industry-specific patterns for healthcare, finance, and government contracts.

Analyze Your Contract Free