Managed services vs outsourcing vs staff augmentation
These three models get bundled under “outsourcing” in conversation, but they are legally distinct — and the contract that fits one is wrong for the others. (For project-based work under a framework agreement, see our MSA guide.)
Managed services
The provider operates a defined IT function as a continuous service against SLAs. You buy outcomes — uptime, response times, resolution rates — and the provider decides how to deliver them. The contract lives or dies on the service catalogue, the SLA mechanics, and the exit terms.
IT outsourcing
A broader transfer of responsibility for an entire function or department — sometimes including assets, third-party contracts and people — to the provider. Where the function moves as a going concern, section 197 of the LRA enters the picture, and the deal needs employment-law attention before commercial terms are locked.
Staff augmentation
You rent capacity: the provider’s people work under your direction and control, with no outcome SLAs. Contractually the simplest model, but it gives you no remedies on outcomes and raises its own employment-law questions about who the real employer is. If you are managing the people, you are not buying a managed service.
The nine clauses that matter
Service scope + service catalogue
Exactly which towers the provider runs (helpdesk, end-user computing, infrastructure, network, security) and a service catalogue listing each service, its hours of cover, and what counts as out-of-scope project work billed separately. Vague scope is the single biggest source of MSP disputes.
Service levels + credits
Availability, response and resolution times by priority, first-time-fix rates — each with a defined measurement method, a monthly reporting cadence, and service credits that apply automatically rather than only when you remember to claim them.
POPIA operator terms + security standards + breach notification
The moment the provider touches personal information it is an operator under section 21 of POPIA, and written operator terms are mandatory: section 19 security measures, sub-operator controls, and an obligation to notify you immediately of any actual or suspected compromise so you can meet your own section 22 duties.
Offshore delivery + section 72 transfer mechanics
Follow-the-sun support means personal information leaves South Africa. Section 72 of POPIA requires a lawful transfer ground — typically contractual safeguards binding the offshore recipient to materially-equivalent protection — plus a current register of which countries your data actually sits in.
Technology refresh + asset ownership
Who owns the hardware, software licences and tooling used to deliver the service; refresh cycles so you are not running on aging kit in year four; and what happens to provider-owned equipment, configurations and documentation on exit.
Personnel: key persons, vetting, restraints
Named key persons with replacement-approval rights, background-vetting standards for staff holding privileged access to your systems, and sensible non-solicitation restraints running in both directions.
Audit rights + regulated-buyer cascades
Banks, insurers and FSPs must cascade their third-party risk-management obligations into outsourcing contracts: audit and inspection rights, regulator access to the provider, concentration-risk reporting, and the termination triggers their own regulators expect to see.
Pricing models + benchmarking
Per-seat, per-device, consumption-based or fixed-fee-per-tower pricing; CPI-linked escalation; and on longer terms a benchmarking clause so pricing can be market-tested mid-term without having to threaten termination.
Term, termination + transition-out assistance
The clause everyone regrets skipping. A defined transition-out period during which the provider must maintain service levels, hand over documentation, credentials and data, and cooperate with the replacement provider — at rates agreed up front, not hostage rates negotiated at exit.
The section 197 LRA question
The most under-appreciated risk in IT outsourcing is not in the IT clauses at all — it is in employment law.
Employees can transfer by operation of law
When outsourcing, insourcing, or changing providers transfers a business function as a going concern, section 197 of the Labour Relations Act may transfer the affected employees to the new provider automatically — on their existing terms and conditions, whether or not anyone intended it. The same analysis can apply in reverse when a contract ends and the function comes back in-house or moves to a new MSP.
Whether section 197 applies is intensely fact-specific, and getting it wrong reshapes the economics of the entire deal. Get employment advice early — before the commercial terms are agreed, not after signature. Where a transaction raises the question, this firm briefs specialist employment counsel as part of the engagement.
Exit planning: the reverse-transition checklist
Exit terms are negotiated when the relationship is at its friendliest and exercised when it is at its worst. Plan the divorce at the wedding:
- A current inventory of assets, licences, credentials and documentation the provider holds — maintained during the term, not assembled in a panic at exit.
- A defined transition-out period (typically 3–6 months) with service levels maintained in full throughout.
- Knowledge transfer: runbooks, configurations, network diagrams and admin credentials handed over in usable form.
- Data return in agreed, usable formats and POPIA-compliant deletion of what remains, with written certification.
- A duty to cooperate with the incoming provider — including joint planning sessions — at pre-agreed rates.
- A list of third-party licences and contracts that must be novated or assigned for the service to move.
- Pre-agreed exit fees, so the incumbent has no renegotiation leverage at the moment you are most exposed.
Frequently asked
What is the difference between a managed services agreement and an MSA?
A Master Service Agreement (MSA) is a general framework for project-based work, with individual Statements of Work dropped in underneath it. A managed services agreement governs a continuous, always-on service — the provider operates a defined IT function against service levels month after month. The managed services agreement needs things an MSA typically lacks: a service catalogue, availability and response SLAs with credits, technology-refresh obligations, and detailed transition-out assistance. Many MSPs use an MSA shell with a managed-services schedule; that works if the schedule actually carries the operational detail.
Do I need a POPIA operator agreement with my MSP?
Yes. An MSP with access to systems holding personal information — which is effectively every MSP, since helpdesk and infrastructure access reaches email, HR systems and customer databases — processes that information on your behalf and is an operator under POPIA. Section 21 requires a written agreement obliging the operator to maintain section 19 security measures and act only on your authority. The operator terms can be a schedule to the managed services agreement or a standalone data processing agreement referenced by it.
Can my MSP support me from offshore?
Yes, but section 72 of POPIA must be dealt with. Offshore support — a follow-the-sun helpdesk in India, a security operations centre in Eastern Europe — means personal information is transferred outside South Africa whenever it is accessed from there. Section 72 requires a lawful transfer ground; in practice the cleanest is a contract binding the offshore recipient to protection materially similar to POPIA. Your agreement should also require the provider to disclose and keep current the list of delivery locations, and to obtain consent before adding new ones.
What is transition-out assistance and why does it matter?
Transition-out assistance is the provider's contractual obligation to help you leave: maintaining service levels during a defined exit period, handing over documentation, credentials, configurations and data, and cooperating with the replacement provider — all at rates fixed when the contract is signed. It matters because at exit the bargaining positions invert: the incumbent holds your runbooks, your admin passwords and your institutional knowledge, and without a pre-agreed obligation it can price that cooperation however it likes. It is consistently the clause buyers most regret skipping.
What happens to our staff if we outsource an IT function?
This needs careful, early attention. Where an outsourcing transfers a business function as a going concern, section 197 of the Labour Relations Act can transfer the affected employees to the provider automatically, on their existing terms — and the same analysis arises when you insource again or change providers. Whether section 197 applies turns on the specific facts, and the consequences (for headcount, cost and the deal structure itself) are significant. Specialist employment advice before signing is essential; we brief specialist employment counsel where a transaction raises the question.
How are MSP fees usually structured?
The common models: per-seat or per-user (predictable, suits end-user computing and helpdesk), per-device (suits infrastructure-heavy estates), consumption-based (suits cloud management, scales both ways), and fixed-fee-per-tower (predictable but needs tight scope definitions). Most real deals blend models across towers. On multi-year terms, build in CPI-linked escalation, volume-band repricing as your headcount moves, and a benchmarking right so pricing can be tested against market mid-term.
What audit rights should regulated buyers demand?
Banks, insurers and FSPs are required by their own regulators to manage third-party and outsourcing risk, and those obligations cascade into the contract. At minimum: the right to audit the provider's controls (directly or via independent assessors), access for the regulator itself, the right to receive security-certification and penetration-test summaries, incident-reporting timelines aligned to your regulatory clocks, sub-contractor transparency, and termination rights if the provider blocks supervision. Providers serving regulated clients should expect — and pre-package — these terms.
What does a managed services / IT outsourcing agreement cost to draft?
From R15,000 for a single-tower managed services agreement with POPIA operator terms and a workable SLA and exit schedule. Complex multi-tower outsourcing — multiple service towers, offshore delivery, regulated-buyer cascade terms, asset transfers and a detailed transition-out regime — typically runs R25,000–R40,000. Where section 197 of the LRA is in play, budget separately for specialist employment advice on the transfer itself.