Free Word download β’ Edit online β’ Save & share with Drive β’ Export to PDF
A Hosting Agreement is a legally binding contract between a hosting service provider and a client that governs the terms under which server space, infrastructure, or platform resources are made available. It establishes enforceable obligations on both sides: the provider commits to specific uptime levels, backup procedures, and support response times; the client commits to acceptable use, timely payment, and compliance with the provider's platform rules. Unlike a general service contract, a hosting agreement addresses the specific risks of an always-on, data-dependent service β what happens during an outage, who owns the stored data, and how the client retrieves their files if the relationship ends.
Operating a hosting arrangement without a written agreement leaves both parties exposed to costly, preventable disputes. Providers who omit a backup clause have been held liable for client data losses under implied duty-of-care standards in multiple jurisdictions. Clients with no SLA in writing have no contractual basis to recover losses from extended downtime. Auto-renewal billing without a documented notice window generates chargebacks and regulatory scrutiny in jurisdictions with consumer protection statutes covering subscription services. Data return obligations β increasingly required under GDPR, CCPA, and Quebec's Law 25 β have no force unless they appear in a signed agreement. A properly drafted hosting agreement closes all of these gaps before services go live, and this template gives you a professionally structured starting point you can customize and execute in under an hour.
| If your situation is⦠| Use this template |
|---|---|
| Providing shared or dedicated web hosting to multiple customers | Web Hosting Agreement |
| Hosting a client's application on dedicated managed servers | Managed Hosting Services Agreement |
| Providing cloud infrastructure resources on a pay-as-you-go basis | Cloud Services Agreement |
| Co-locating a client's physical hardware in a data center | Colocation Agreement |
| Offering a software platform to clients who also need hosting included | SaaS Agreement with Hosting Addendum |
| Reselling a third-party hosting provider's infrastructure to end clients | Reseller Hosting Agreement |
| Hosting an event or conference with venue and logistics responsibilities | Event Hosting Agreement |
Why it matters: When a client loses data and the contract is silent on backup obligations, courts in several jurisdictions have imposed an implied duty of care on providers β exposing them to losses far exceeding the contract value.
Fix: State explicitly either that the provider performs automated backups on a defined schedule or that backup is entirely the client's responsibility. Ambiguity is the worst outcome for both parties.
Why it matters: A bare 99.9% uptime promise without carve-outs for scheduled maintenance, DDoS attacks, and upstream provider failures means every outage β regardless of cause β counts against the SLA.
Fix: Define 'Downtime' precisely and list the events excluded from the measurement, including scheduled maintenance windows (with advance-notice requirements), force majeure events, and third-party network failures.
Why it matters: Clients who miss an undisclosed auto-renewal date and are billed for another annual term frequently initiate chargebacks or disputes. In several EU member states and US states, auto-renewal clauses without clear disclosure and cancellation instructions are unenforceable.
Fix: Include a specific cancellation notice window β at least 30 days before renewal β and consider sending a renewal reminder email 45 days before the renewal date as a best practice.
Why it matters: A cap expressed only as a multiple of fees paid creates near-zero exposure for low-cost plans β $150 on a $50/month contract β which courts may find unconscionable or commercially unreasonable for enterprise data loss scenarios.
Fix: Set a floor amount (e.g., 'the lesser of $5,000 or 3 months' fees') so the cap is meaningful without being open-ended. Calibrate to the risk profile of the data you are hosting.
Why it matters: An AUP that only prohibits illegal activity does not address legal but resource-intensive uses β cryptocurrency mining, large-scale scraping, or continuous video transcoding β that can degrade shared infrastructure and trigger upstream provider penalties.
Fix: Add explicit prohibitions on excessive resource consumption, automated high-volume tasks, and any activity that degrades service for other users on shared environments.
Why it matters: Without a defined window for data export, a terminated client has no contractual right to retrieve their own files β leading to disputes, legal threats, and regulatory exposure under data protection laws that require data portability.
Fix: Include a minimum 30-day post-termination export window and a written confirmation of deletion upon client request. Align this with your data retention obligations under applicable privacy law.
In plain language: Identifies the provider and client by legal name and describes the specific hosting services being provided β server type, environment, and any included features.
This Hosting Agreement is entered into as of [DATE] between [PROVIDER LEGAL NAME], a [STATE/PROVINCE] [ENTITY TYPE] ('Provider'), and [CLIENT LEGAL NAME], a [STATE/PROVINCE] [ENTITY TYPE] ('Client'). Provider agrees to furnish the hosting services described in Schedule A ('Services') to Client.
Common mistake: Using brand names or trading names instead of registered legal entity names. This creates enforcement ambiguity if the provider operates under multiple brands or the client disputes responsibility.
In plain language: States the minimum uptime percentage the provider guarantees, the measurement window, what counts as downtime, and the service credits the client receives if the guarantee is missed.
Provider guarantees a monthly uptime of [99.9]% for the Services, excluding Scheduled Maintenance. For each full hour of excess downtime, Client shall receive a service credit equal to [X]% of the monthly fee, up to a maximum of [30]% of fees paid in the affected month.
Common mistake: Defining uptime without specifying what is excluded β scheduled maintenance, DDoS attacks, and third-party outages are commonly carved out, but if that language is missing, the provider is exposed for events it cannot control.
In plain language: Specifies the hosting fee, billing frequency, accepted payment methods, late payment interest, and the provider's right to suspend services for non-payment.
Client shall pay Provider a monthly fee of $[AMOUNT] due on the [1st] day of each month. Invoices not paid within [15] days are subject to interest at [1.5]% per month. Provider may suspend Services upon [5] days' written notice if payment is [30] or more days overdue.
Common mistake: Not including a specific suspension notice period before termination. Immediately cutting off a client's live environment without notice creates liability and reputational damage β even if the contract technically permits it.
In plain language: Defines prohibited uses of the hosting environment β including spam, illegal content, cryptocurrency mining, and resource abuse β and gives the provider the right to suspend immediately for AUP violations.
Client shall not use the Services to transmit spam, host malware, conduct unauthorized network scanning, mine cryptocurrency, or store or distribute content that violates applicable law. Provider may suspend Services immediately upon discovering an AUP violation, without prior notice.
Common mistake: Omitting cryptocurrency mining and resource-intensive automated tasks from the AUP. These activities were not common concerns in older templates but can consume server resources that degrade other clients' environments and trigger provider liability.
In plain language: Confirms that the client owns all data stored on the provider's infrastructure and states the provider's obligations β if any β to back up that data, including frequency, retention period, and restoration SLA.
Client retains exclusive ownership of all data stored on the hosted environment ('Client Data'). Provider shall perform automated backups of Client Data [daily], with a retention period of [30] days. Restoration requests will be fulfilled within [4] business hours.
Common mistake: Treating backup as an implied service rather than a documented obligation. When a provider performs no backups and the client loses data, the absence of a backup clause is not a defense β courts have found implied duties of care in certain jurisdictions.
In plain language: Clarifies that neither party gains ownership of the other's pre-existing IP through the agreement, and that any platform software or tools the provider uses remain the provider's property.
Client retains all rights to Client Data and Client-owned software. Provider retains all rights to its hosting platform, proprietary tools, and infrastructure software. No license is granted to either party beyond what is necessary to perform the Services.
Common mistake: Failing to address third-party software dependencies β open-source components or licensed tools deployed on the provider's stack. If the client is responsible for their own licensing compliance, that should be stated explicitly.
In plain language: Caps the provider's total financial exposure and allocates responsibility for third-party claims arising from each party's acts or failures.
Provider's total aggregate liability under this Agreement shall not exceed the fees paid by Client in the [3] months preceding the event giving rise to the claim. Client shall indemnify Provider against third-party claims arising from Client Data or Client's violation of the AUP.
Common mistake: Setting the liability cap as a percentage of annual fees without a floor. If the client pays $50/month, a 3-month cap is $150 β which may be inadequate and unenforceable in some jurisdictions for gross negligence.
In plain language: Sets the initial contract period, auto-renewal conditions, notice requirements for cancellation, and each party's termination rights β including immediate termination for cause and termination for convenience.
This Agreement commences on [START DATE] and continues for [12] months ('Initial Term'), automatically renewing for successive [12]-month periods unless either party provides [30] days' written notice of non-renewal prior to the end of the then-current term. Either party may terminate for material breach upon [15] days' written notice if the breach is not cured.
Common mistake: Auto-renewal clauses with no notice window β or a notice window shorter than most billing cycles. A client who misses a 7-day cancellation window and gets locked into another annual term will dispute the charge and may succeed in jurisdictions with consumer protection statutes.
In plain language: Requires the provider to make the client's data available for export for a defined period after termination and to delete all copies of client data after that window closes.
Upon termination, Provider shall make Client Data available for download for [30] days. After such period, Provider shall permanently delete all Client Data and, upon request, provide written confirmation of deletion within [5] business days.
Common mistake: No data deletion confirmation requirement. In jurisdictions subject to GDPR or PIPEDA, the provider's obligation to delete personal data and confirm deletion is a compliance requirement β not just a courtesy.
In plain language: Specifies which jurisdiction's law governs the contract, the forum for disputes, and whether disputes go to arbitration, mediation, or court.
This Agreement is governed by the laws of [STATE / PROVINCE / COUNTRY], without regard to its conflict of laws provisions. Any dispute not resolved by good-faith negotiation within [30] days shall be submitted to binding arbitration in [CITY] under the rules of [AAA / JAMS / applicable body], except claims for injunctive relief.
Common mistake: Choosing a governing law with no meaningful connection to where either party operates. Some jurisdictions β notably California β apply local consumer protection law regardless of a contractual choice-of-law clause, invalidating terms the provider expected to rely on.
Use the full legal entity name β as it appears in corporate registry filings β for both provider and client. Include entity type (LLC, Inc., Ltd.) and state or province of registration.
π‘ For individual clients, include both their legal name and their business trading name if services are provided to a sole trader operating under a brand.
Move granular service specifications β server type, storage allocation, operating system, control panel access, and included support hours β to a separate Schedule A rather than embedding them in the agreement body. This lets you update service tiers without amending the core contract.
π‘ Reference the schedule clearly: 'as described in Schedule A, incorporated by reference' β otherwise a court may treat the schedule as a non-binding appendix.
Enter the monthly uptime percentage you can realistically commit to and calculate the service credit rate per hour of excess downtime. Cross-check your infrastructure provider's own SLA to ensure you are not promising more than your upstream allows.
π‘ Cap total service credits at 30% of the monthly fee β uncapped credit obligations can exceed the contract value if a major outage occurs.
State the exact dollar amount, billing frequency, due date, and late payment interest rate. Set a specific number of days for the payment-overdue notice period before suspension is permitted.
π‘ Match the suspension notice period to your billing cycle β a 5-day notice on a monthly bill gives the client one business week to resolve a payment issue before their environment goes offline.
Review the default AUP prohibitions and add or remove items that reflect your specific server environment. Cloud environments, shared hosting, and dedicated servers have different resource-abuse profiles.
π‘ Explicitly prohibit content types that could expose your infrastructure to legal liability in your jurisdiction β adult content, unlicensed software, and gambling platforms all carry platform-specific regulatory risk.
Enter the backup schedule (daily, weekly), how many days of backups are retained, and the business-hours window within which you commit to restoring a backup on client request.
π‘ If you do not offer managed backups, state explicitly that backup is the client's sole responsibility β ambiguity here leads to the most common hosting dispute.
Choose the initial term length, the auto-renewal period, and the advance notice window a client must give to cancel. Ensure the notice window is long enough to allow orderly off-boarding.
π‘ A 30-day cancellation notice on an annual contract is the market standard. Shorter windows benefit the client; longer windows benefit the provider but are frequently disputed.
Both parties should execute the agreement before the hosting environment is provisioned or handed over. Executing after the client's site is already live weakens the enforceability of AUP and liability-limitation clauses.
π‘ Use a timestamped electronic signature to establish the exact execution date β this matters when the auto-renewal calendar and any SLA measurement period are calculated from the commencement date.
A hosting agreement is a legally binding contract between a service provider and a client that governs the provision of server space, infrastructure, or platform resources. It defines uptime commitments, fees, acceptable use rules, data ownership, liability limits, and termination conditions. It differs from a general service agreement in that it specifically addresses SLA metrics, backup obligations, and data portability β issues unique to hosted environments.
You need a hosting agreement any time you provide or purchase ongoing hosting services β whether for a website, web application, database, or managed server. It should be signed before the hosting environment is provisioned or the client's content goes live. Operating without one means uptime, backup, liability, and termination obligations are undefined β and courts will fill those gaps with jurisdiction-specific defaults that may not favor either party.
A complete hosting agreement covers: a description of the services, an uptime SLA with service credit formula, fee and billing terms, an acceptable use policy, data ownership and backup obligations, a liability cap and indemnification, term and auto-renewal conditions, a data return and deletion procedure upon termination, and governing law. Missing the backup and data return clauses are the two most common gaps that generate disputes.
The industry standard for commercial hosting services is 99.9% monthly uptime, which permits approximately 43 minutes of unplanned downtime per month. Higher-tier services often commit to 99.95% or 99.99%. The SLA should specify what counts as downtime, what events are excluded, and the service credit formula β typically a percentage of the monthly fee per hour of excess downtime, capped at 30% of monthly fees.
The client owns all data they store on the hosting environment. A properly drafted hosting agreement states this explicitly and confirms that the provider acquires no rights to the client's data beyond what is necessary to deliver the services. Data ownership language also supports compliance with GDPR, PIPEDA, and other data protection frameworks that require clear identification of the data controller.
The contract should require the provider to make client data available for export for a defined period after termination β typically 30 days β and then permanently delete all copies. Under GDPR and similar privacy laws, the provider must confirm deletion in writing upon request. Without a data return clause, the client has no enforceable right to retrieve their files, and the provider has no clear obligation to delete personal data it no longer has a lawful basis to retain.
Yes β a limitation of liability clause is standard in hosting agreements and generally enforceable in most jurisdictions when the cap bears a reasonable relationship to the contract value. Typically the cap is set at 3β12 months of fees paid. However, courts in the UK, EU, and some Canadian provinces will not enforce liability caps for gross negligence or willful misconduct, and consumer contracts in the EU face additional scrutiny under the Unfair Contract Terms Directive.
No law requires it, but any ongoing hosting arrangement β even a simple shared-hosting plan for a small business site β benefits from a written agreement that documents uptime expectations, backup responsibilities, and what happens to the site's files if the relationship ends. Many small business disputes arise from a provider claiming no backup obligation and a client discovering their site data is gone.
For standard B2B hosting arrangements, a high-quality template is usually sufficient. Consider engaging a lawyer when the client's data is sensitive (medical, financial, or personal data at scale), when the contract value exceeds $50,000 annually, when the client operates in a heavily regulated jurisdiction, or when GDPR or CCPA data processing obligations need to be specifically addressed in a data processing addendum.
An SLA is a performance appendix that defines uptime targets, response times, and remedies β but it is not a standalone contract. A hosting agreement is the governing contract that incorporates the SLA as a component. You need both: the hosting agreement sets the legal framework; the SLA sets the measurable performance obligations within it.
A website development agreement governs a one-time project β design, build, and handover. A hosting agreement governs the ongoing maintenance and availability of that site after launch. Many agencies use both: a development agreement for the build phase and a hosting agreement for the post-launch service relationship.
An IT services agreement covers a broad range of managed technology services β helpdesk, device management, network administration. A hosting agreement is narrower, focused specifically on server infrastructure and data availability. If a managed service provider offers both hosting and broader IT support, a combined MSA with a hosting schedule is more appropriate.
A cloud services agreement governs infrastructure provided on a consumption or subscription basis β compute, storage, and networking billed per unit used. A hosting agreement typically covers a fixed-capacity arrangement for a specific environment. The distinction matters for billing structure: hosting fees are predictable and flat; cloud fees are variable and usage-based.
Platform-as-a-service arrangements require specific data residency clauses, multi-tenant liability allocation, and API rate-limit terms embedded in the SLA.
Hosting agreements for healthcare clients must incorporate HIPAA Business Associate Agreement requirements, audit logging obligations, and specific data encryption standards.
PCI DSS compliance obligations, peak-traffic capacity commitments around seasonal events, and uptime guarantees tied to transaction processing windows are standard additions.
Law firms, accountants, and consultancies require data confidentiality provisions that exceed standard AUPs, along with strict data residency requirements and named-user access controls.
High-bandwidth content delivery, CDN integration terms, content takedown procedures, and copyright indemnification clauses are critical for media hosting arrangements.
Regulatory audit rights, data sovereignty requirements, enhanced encryption standards, and contractual penetration testing obligations are typically required by financial regulators.
No single federal law governs hosting agreements, but CCPA (California), HIPAA (healthcare data), and the CFAA (unauthorized computer access) all intersect with hosting terms. Liability caps and auto-renewal clauses are subject to state-specific consumer protection statutes β California, New York, and Illinois have disclosure requirements for auto-renewal provisions in consumer contracts. Choice-of-law clauses are generally enforceable in B2B contexts.
PIPEDA (federally) and provincial privacy laws such as Quebec's Law 25 impose specific obligations on hosting providers handling personal data, including data breach notification and cross-border transfer restrictions. Quebec's Law 25 requires a Privacy Impact Assessment for personal data transferred outside Quebec. Auto-renewal clauses must be clearly disclosed under consumer protection legislation in several provinces, including Ontario and British Columbia.
The UK GDPR and Data Protection Act 2018 require a Data Processing Agreement between the hosting provider (as data processor) and the client (as data controller) when personal data is stored. Liability caps excluding losses caused by data breaches may be challenged under the Consumer Rights Act 2015 for consumer contracts. Post-Brexit, UK-to-EU data transfers require either an adequacy decision or Standard Contractual Clauses.
GDPR Article 28 mandates a written Data Processing Agreement as a legal prerequisite for any hosting arrangement involving EU personal data. Hosting providers acting as data processors must implement technical and organizational measures, support the client's data subject rights obligations, and accept audit rights. The EU AI Act may impose additional obligations on hosting providers whose infrastructure supports AI model training or inference. Unfair contract terms protections under the Unfair Contract Terms Directive limit the enforceability of overly broad liability exclusions in consumer contexts.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Small to mid-size hosting providers, freelance developers, and agencies offering standard website or application hosting to SMB clients | Free | 30β60 minutes |
| Template + legal review | Providers hosting sensitive data, healthcare or financial clients, or contracts exceeding $20,000 annually | $400β$800 | 2β4 days |
| Custom drafted | Enterprise hosting arrangements, multi-jurisdiction data residency requirements, HIPAA or PCI DSS compliance, or white-label hosting platforms | $2,000β$6,000+ | 2β4 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Free Forever PlanΒ Β·Β No credit card required
