DeutschEnglish

Guide

What belongs in a website maintenance contract?

A complete maintenance contract consists of twelve clearly delineated sections. This page explains each section: why it matters and what concretely needs to go into it. Written for web designers, agencies, and IT service providers who want to handle website maintenance properly — without jargon and without gaps.

Table of Contents

The twelve sections at a glance

Every section is clickable. If you draft a contract yourself, you should at least touch on all twelve points — even if a single point only requires one sentence.

  1. 01Contracting Parties and Subject Matter
  2. 02Scope of Services: Technical Maintenance
  3. 03Backups and Recovery
  4. 04Security
  5. 05Monitoring and Reporting
  6. 06Content Maintenance
  7. 07Legal Maintenance and Compliance
  8. 08Performance and SEO
  9. 09Support, Response Times and SLA
  10. 10Data Processing Agreement (DPA / GDPR)
  11. 11Pricing, Term and Termination
  12. 12Liability, Ownership, Termination and Handover
  13. +Attachments and annexes

SECTION 01

Contracting Parties and Subject Matter

Every contract starts with the question of who is signing it and what it covers. Sounds obvious — but this is often written sloppily and causes disputes the moment ownership, the domain, or the responsible person changes.

What to include

  • Full legal names of client and provider with registered address, authorized representative, and billing address
  • Unambiguous identification of the website(s) under maintenance: primary domain, subdomains, language versions
  • CMS in use and hosting environment
  • Effective date and scope of the agreement
  • Brief purpose statement ("Ongoing technical maintenance of the website")

SECTION 02

Scope of Services: Technical Maintenance

This section spells out which recurring technical work the provider takes on and at what frequency. The more concrete this section is, the fewer arguments later about "was that included?".

What to include

  • CMS core updates with explicit frequency (e.g. weekly, monthly)
  • Plugin, theme, or extension updates including pre-tests on staging
  • PHP, Node, or database patches, where the provider manages the server
  • Database hygiene: cleanup of revisions, transients, and orphaned rows
  • Cache and CDN configuration
  • Image optimization and regular broken-link checks
  • Maintenance of a staging environment as a test and approval stage
Tip: Major version jumps such as PHP 8 → 9 or a TYPO3 LTS migration typically do not belong in standard maintenance. State this explicitly — otherwise it becomes the most expensive point of contention.

SECTION 03

Backups and Recovery

Backups are the website’s life insurance. A contract that only says "backups included" without specifying frequency, retention, and recovery time is worthless when it counts.

What to include

  • Frequency: hourly, daily, or weekly
  • Retention period: 7, 30, 90 days, or longer
  • Storage location, ideally off-site at a second provider or in a different region
  • Snapshot before every update cycle
  • Recovery time (RTO) and maximum data loss (RPO) in hours
  • Quarterly restore test as proof that backups actually work

SECTION 04

Security

Security services prevent expensive emergencies and should be quantified clearly. "Security included" is not a commitment — it is a buzzword.

What to include

  • Malware scan with defined frequency and named tooling
  • Malware removal — typically capped (e.g. one cleanup per quarter)
  • WAF / firewall rules (Cloudflare, Wordfence, Sucuri)
  • Vulnerability scans (Patchstack, WPScan, OWASP ZAP)
  • SSL certificate renewal and monitoring
  • Two-factor authentication for all admin accounts
  • Login hardening: rate limiting, IP allowlist, changed admin URL
  • Incident response with a defined maximum response time
Note: Penetration tests, forensic investigations, and full recovery after a hack are special engagements. They belong in the contract as add-ons, not inside the standard fee.

SECTION 05

Monitoring and Reporting

Monitoring proves the website is actually up. Reporting proves the provider is actually doing something about it.

What to include

  • Uptime monitoring with an explicit polling interval (1 or 5 minutes)
  • Performance monitoring of Core Web Vitals (LCP, CLS, INP)
  • Error monitoring (Sentry, server logs)
  • SEO regression checks (sitemap, indexability, meta tags)
  • Monthly report as PDF or dashboard with the most important KPIs
  • Optional: quarterly strategy call in higher tiers

SECTION 06

Content Maintenance

Content changes are the most common source of scope disputes. A clear quota with clear limits solves the problem.

What to include

  • Monthly hour or minute quota for small changes
  • Rule for unused quota — expires at month end or rolls over for N months
  • Hourly rate for work beyond the quota
  • Number of new pages or posts included in the package
  • Image sourcing and editing (often an add-on)
  • Translations, newsletters, and form upkeep
  • Clear delineation from relaunch, new features, and design work

SECTION 08

Performance and SEO

Performance and search visibility decay quietly. Without regular care, the eventual repair costs many times more than the upkeep.

What to include

  • Tuning of LCP, CLS, and INP per the Core Web Vitals standard
  • Lighthouse audits monthly or quarterly
  • Cache and CDN strategy reviewed regularly
  • Image and asset optimization (WebP/AVIF, lazy loading)
  • Structured data (schema.org) upkeep, especially for shops
  • Indexing monitoring in Google Search Console and Bing Webmaster Tools
  • Redirect management for URL changes (301/410)

SECTION 09

Support, Response Times and SLA

"Fast support" without definition leads to mismatched expectations on both sides. This section sets the response speed and the availability the provider commits to.

What to include

  • Support channels: email, ticket portal, Slack, phone
  • Support hours: business hours (9am–6pm), extended, or 24/7
  • Three priority tiers, each with its own response and resolution time (see table)
  • Uptime commitment: 99.5% or 99.9% per year
  • Service credits on SLA breach — e.g. 10 / 25 / 50% of the following month’s fee
  • Optional: named contact in higher tiers

Common priority tiers

PriorityDefinitionResponse timeResolution time
P1 — CriticalSite down, payments broken, data leak1h business / 2h 24×74–8h, best effort
P2 — HighMajor feature broken, partial outage, security alert4 business hours1–2 business days
P3 — NormalBug, change request, cosmetic1–2 business days5 business days

SECTION 10

Data Processing Agreement (DPA / GDPR)

As soon as the provider can technically access personal data — and that is the case with every CMS login and every backup — a DPA under Article 28 GDPR is mandatory. Without one, every login is technically a data protection violation.

What to include

  • Subject matter, nature, purpose, and duration of processing
  • Categories of data subjects and personal data
  • Documented instructions from the controller
  • Confidentiality obligation for staff involved
  • List of sub-processors with notification obligation on changes
  • Annex of technical and organizational measures (TOM)
  • Support for data subject requests (access, deletion, portability)
  • Audit and inspection right of the controller
  • Return or deletion of data at contract end
Caution: The DPA belongs as a separate, signed document attached to the main contract. A blanket reference inside the maintenance contract is not sufficient — GDPR requires an independent agreement.

SECTION 11

Pricing, Term and Termination

This is where you negotiate — and where most late-stage conflicts originate. Clear pricing and termination rules prevent silent margin erosion and unwelcome auto-renewals.

What to include

  • Monthly price and billing cycle (monthly, quarterly, annually)
  • Hourly rate for additional work (DACH market: €90–€180/h)
  • One-time setup or onboarding fee (often €250–€1,500)
  • Minimum term, often 12 or 24 months
  • Notice period (typically 30, 60, or 90 days in writing; email usually accepted)
  • Auto-renewal — and how it can be opted out of
  • Price adjustment clause: CPI indexation or fixed annual percentage
  • Payment terms, dunning process, and consequences of late payment

SECTION 12

Liability, Ownership, Termination and Handover

What happens when something goes wrong — or when the engagement ends? These clauses protect both sides and prevent an ugly off-boarding phase.

What to include

  • Liability cap, typically twelve months of fees or a fixed amount (e.g. €10,000–€50,000)
  • Exclusion of indirect and consequential damages
  • Force majeure clause (DDoS, registrar outages, third-party platform problems)
  • Liability for update-related damage: usually only on negligence, with staging tests as risk sharing
  • Intellectual property: client owns content, custom code, and brand assets; provider keeps internal tooling and reusable libraries
  • Confidentiality / NDA with a two- to three-year tail
  • Reversibility clause: handover of codebase, database dump, media, credentials, and logs in machine-readable form without extra fees
  • Data deletion certificate after handover is complete
  • Governing law and venue (typically the provider’s seat; consumer protection rules may override)

ATTACHMENTS

These documents belong together

A complete maintenance contract consists of the master agreement plus several annexes. Only together do they form a legally sound package.

  • Master agreement
  • Statement of work with all selected modules
  • DPA with TOM annex
  • List of sub-processors
  • SLA annex with priorities, response and resolution times, and any service credits
  • Price list with hourly rates for additional work and optional modules
Note: This page is a structured overview, not legal advice. Have individual contract drafts — especially the DPA, liability clauses, and venue — reviewed by qualified counsel before production use.

This structure as a finished contract

Wartungsvertrag Website walks you through all twelve sections and produces a signature-ready PDF at the end — including package, frequencies, DPA, and SLA.