Free Word download • Edit online • Save & share with Drive • Export to PDF
A Web Site Hosting Agreement is a legally binding contract between a hosting provider and a client that establishes the terms under which the provider stores, maintains, and serves the client's website on its servers. It defines the precise scope of services — server type, storage, bandwidth, and included software — alongside uptime commitments, data ownership, acceptable use restrictions, security responsibilities, liability limits, and the process for returning or deleting client data when the relationship ends. Unlike an informal service signup, a signed hosting agreement creates enforceable obligations on both sides and eliminates the ambiguity that arises when performance expectations, payment disputes, or data-loss incidents occur.
Operating a hosting arrangement without a written agreement exposes both the provider and the client to predictable and avoidable risks. A provider without a liability cap can face a client's claim for all lost revenue during a server outage — amounts that can be hundreds of times the monthly hosting fee. A client without a defined SLA has no contractual remedy when their site goes down during peak traffic. Without a data-return clause, clients who leave a provider may find their files deleted the day the contract ends, with no recourse if they are subject to regulatory retention requirements. For providers, the absence of an acceptable use policy removes the contractual basis to suspend accounts distributing malware or illegal content without risking a breach-of-contract counterclaim. This template gives hosting providers a professionally structured starting point that protects their infrastructure and limits their liability, while giving clients the service-level and data-protection assurances they need before transferring control of their online presence to a third party.
| If your situation is… | Use this template |
|---|---|
| Hosting a simple shared-server website for a small business client | Web Site Hosting Agreement (Standard) |
| Providing dedicated server or VPS hosting with enhanced SLA guarantees | Managed Hosting Services Agreement |
| Delivering hosting as part of a broader web design and maintenance package | Web Design and Maintenance Agreement |
| Engaging a third-party vendor to host your company's internal systems | IT Services Agreement |
| Hosting cloud-based software for end users under SaaS terms | SaaS Subscription Agreement |
| Reselling hosting services originally provided by a larger provider | Reseller Hosting Agreement |
| Providing colocation services for client-owned hardware | Colocation Services Agreement |
Why it matters: Without defined storage, bandwidth, and server type, clients escalate usage beyond what the provider priced, and there is no contractual basis to charge overages or throttle service.
Fix: List server type, storage allocation in GB, monthly bandwidth cap, and any included software in the services section — and add a Schedule A for multi-domain or multi-tier arrangements.
Why it matters: A hosting provider whose server suffers a prolonged outage can face a client claim for all lost revenue during the downtime — amounts that can be hundreds of times the monthly hosting fee.
Fix: Cap total liability at 3–6 months of paid fees and explicitly disclaim liability for lost profits, lost data, and business interruption in a standalone clause.
Why it matters: Any scheduled maintenance window — even one minute for a security patch — constitutes a breach of a 100% uptime commitment, giving the client a recurring contract claim.
Fix: Commit to 99.9% or 99.99% uptime and carve out scheduled maintenance windows notified at least 48 hours in advance, client-caused outages, and force majeure events.
Why it matters: Immediately deleting client data upon contract expiry exposes the provider to claims of wrongful destruction, especially when the client is subject to regulatory data-retention requirements.
Fix: Provide a 15-to-30-day window after termination during which the client may download their data, then confirm deletion in writing and retain a destruction log.
Why it matters: The majority of website compromises originate at the application layer — outdated CMS plugins, weak passwords, or unpatched themes — which are entirely within the client's control.
Fix: Use shared-responsibility language: the provider secures the server infrastructure; the client secures their application, CMS, and credentials. State that application-layer breaches are the client's liability.
Why it matters: A notice-and-cure period before suspension is appropriate for billing disputes but not for active malware distribution or illegal content — every hour of delay increases the provider's legal exposure and harms other clients on shared infrastructure.
Fix: Add a carve-out granting the provider the right to suspend or remove content immediately and without prior notice when the violation involves malware, spam, illegal content, or a material threat to server integrity.
In plain language: Identifies the hosting provider and the client as legal entities and describes the specific hosting services being provided — server type, storage allocation, bandwidth, and any included software or control panel access.
This Web Site Hosting Agreement ('Agreement') is entered into on [DATE] between [PROVIDER LEGAL NAME], a [STATE/COUNTRY] [ENTITY TYPE] ('Provider'), and [CLIENT LEGAL NAME], a [STATE/COUNTRY] [ENTITY TYPE] ('Client'). Provider shall host Client's website located at [DOMAIN NAME] on a [SHARED/DEDICATED/VPS] server with [X] GB storage and [X] GB/month bandwidth.
Common mistake: Describing services only as 'web hosting' without specifying server type, storage, and bandwidth. Vague scope leads to billing disputes when the client's site grows beyond what the provider intended to include.
In plain language: States the monthly or annual hosting fee, the billing date, accepted payment methods, and the consequences of late payment — including suspension or termination thresholds.
Client shall pay Provider a hosting fee of $[AMOUNT] per [month/year], billed on the [DAY] of each billing period via [PAYMENT METHOD]. Invoices unpaid for more than [10] days are subject to a late fee of [1.5]% per month. Provider may suspend service after [30] days of non-payment.
Common mistake: No suspension or termination threshold for non-payment. Without it, the provider continues bearing infrastructure costs indefinitely for a non-paying client with no clear contractual right to act.
In plain language: Sets the provider's uptime commitment as a monthly percentage and defines the service-credit remedy if the commitment is missed — including how downtime is measured and what is excluded (scheduled maintenance, client-caused outages).
Provider warrants [99.9]% monthly uptime for the hosted services, excluding scheduled maintenance windows notified at least [48] hours in advance. For each hour of excess downtime, Client shall receive a service credit equal to [5]% of the monthly fee, not to exceed [30]% of the monthly fee in any calendar month.
Common mistake: Promising 100% uptime or omitting exclusions for scheduled maintenance. Both create unmanageable liability — even brief maintenance windows breach an unqualified 100% commitment.
In plain language: Lists prohibited content and activities — spam, malware distribution, copyright-infringing material, illegal content — and grants the provider the right to suspend or remove content that violates the policy immediately.
Client shall not use the hosting services to store, transmit, or distribute: (a) spam or unsolicited bulk email; (b) malware, viruses, or malicious code; (c) content that infringes any third-party intellectual property right; or (d) content that is unlawful in [GOVERNING JURISDICTION]. Provider may suspend or remove violating content immediately and without prior notice.
Common mistake: Failing to include an immediate-suspension right for AUP violations. A notice-and-cure period is appropriate for many breaches, but malware or illegal content requires instant action to protect the provider's infrastructure and other clients.
In plain language: Confirms that the client retains ownership of all website content and data, states the provider's backup frequency and retention period, and clarifies that backups are a convenience — not a substitute for the client's own data management.
Client retains all ownership rights in website content and data stored on Provider's servers. Provider shall perform automated backups of hosted data [daily/weekly], retaining backups for [30] days. Client acknowledges that Provider's backups are made as a convenience only and that Client is solely responsible for maintaining independent copies of critical data.
Common mistake: Providers omitting the 'convenience only' backup disclaimer. Without it, courts may hold the provider liable for data loss even when backups were performed in good faith but failed to capture the most recent data.
In plain language: Defines each party's security responsibilities — the provider's server-level obligations (patching, firewalls, DDoS mitigation) and the client's application-level obligations (keeping CMS software updated, using strong credentials).
Provider shall implement commercially reasonable server-level security measures, including firewall protection, operating system patches applied within [72] hours of release, and DDoS mitigation. Client is solely responsible for securing its web applications, CMS installations, and login credentials. Client shall notify Provider within [24] hours of discovering any suspected security breach.
Common mistake: Assigning all security responsibility to the provider. Shared-responsibility language protects the provider from liability for breaches caused by the client's outdated plugins or weak passwords — which are among the most common attack vectors.
In plain language: Confirms that the provider does not acquire any rights in the client's content and that the client does not acquire any rights in the provider's platform, software, or infrastructure.
Provider acquires no rights, title, or interest in Client's website content by virtue of hosting it. Client acquires no rights in Provider's software, infrastructure, or proprietary systems. Client grants Provider a limited, non-exclusive license to host, cache, and transmit Client's content solely to deliver the hosting services.
Common mistake: Omitting the limited license grant to the provider. Without it, a strict reading of copyright law means the provider technically lacks permission to cache or replicate client content for backup and CDN delivery purposes.
In plain language: Caps the provider's total liability — typically at fees paid in the prior 3–6 months — and disclaims liability for indirect damages such as lost revenue, lost data, or business interruption.
Provider's total liability under this Agreement shall not exceed the fees paid by Client in the [3] months preceding the claim. In no event shall either party be liable for indirect, incidental, consequential, or punitive damages, including lost profits or business interruption, even if advised of the possibility of such damages.
Common mistake: No liability cap at all, or a cap expressed as a percentage of an annual fee on a month-to-month contract. A hosting provider's server failure could theoretically expose it to the client's entire lost-revenue claim — which can dwarf the monthly hosting fee — without an explicit cap.
In plain language: Sets the contract term (monthly, annual, or multi-year), notice requirements for non-renewal, grounds for immediate termination for cause, and the process for returning or deleting the client's data after termination.
This Agreement commences on [START DATE] and continues for [12] months, renewing automatically unless either party provides [30] days' written notice of non-renewal. Either party may terminate immediately for material breach. Upon termination, Provider shall make Client's data available for download for [15] days, after which Provider may permanently delete all hosted data.
Common mistake: No data-return window after termination. Providers who delete data immediately upon contract end expose themselves to client claims of data destruction, particularly where the client is subject to record-retention obligations.
In plain language: Specifies the jurisdiction whose law governs the agreement and how disputes are resolved — litigation, arbitration, or mediation — and the venue for any proceedings.
This Agreement is governed by the laws of [STATE/PROVINCE/COUNTRY]. Any dispute arising under or relating to this Agreement shall be resolved by binding arbitration administered by [AAA/JAMS] in [CITY, STATE], except that either party may seek injunctive relief in any court of competent jurisdiction.
Common mistake: Choosing a governing law with no meaningful connection to where either party operates. Some jurisdictions — particularly in the EU — apply local consumer protection and data law regardless of the governing-law clause.
Use the registered legal name of the hosting provider and the client — not brand names or trading names. Include the state or country of incorporation and the agreement's effective date.
💡 Cross-check the client's legal name against their business registration before signing. Enforcing the agreement against the wrong entity is a common and expensive mistake.
Specify the server type (shared, VPS, dedicated, or cloud), storage allocation in GB, monthly bandwidth, included software (cPanel, Plesk), and the domain name being hosted.
💡 If the client hosts multiple domains or subdomains, list them in a Schedule A rather than the body of the agreement to allow easy amendments.
Enter the monthly or annual fee, billing date, accepted payment methods, late fee percentage, and the number of days after which the provider may suspend service for non-payment.
💡 State the fee in a specific currency, especially for clients in a different country. USD and CAD ambiguity has generated real billing disputes.
Set your uptime percentage (99.9% is the standard for shared hosting; 99.99% for dedicated or mission-critical environments), define how downtime is measured, list maintenance exclusions, and set the service-credit rate per hour of excess downtime.
💡 Cap total monthly service credits at 30% of the monthly fee — uncapped credits can exceed the monthly revenue from a single client in a bad-outage month.
Review the AUP list and add any industry-specific prohibitions relevant to your infrastructure. Confirm that the immediate-suspension right for serious violations is clearly stated.
💡 Reference your full AUP document by URL if it is published on your website, and note that you may update it with [15] days' notice — this avoids amending the contract every time the AUP changes.
Enter your actual backup schedule and retention period. Set the post-termination data-availability window — 15 to 30 days is standard — and state the deletion method after that window closes.
💡 If you cannot reliably deliver daily backups, commit only to weekly. Overpromising on backups and then failing to deliver is one of the most litigated hosting disputes.
Enter the liability cap as the fees paid in the prior 3 months (or 6 months for higher-risk deployments). Confirm the consequential-damages disclaimer covers lost profits, data loss, and business interruption.
💡 Some US states and several EU jurisdictions restrict consequential-damage disclaimers in consumer contracts. If your clients include consumers, have a lawyer review this clause before execution.
Choose the initial term (monthly or annual), set the non-renewal notice window (30 days is standard), and specify the exact number of days the client has to retrieve data after termination.
💡 Send a non-renewal reminder 45 days before the notice deadline — giving the client time to act before you are contractually obligated to begin deletion.
A website hosting agreement is a legally binding contract between a hosting provider and a client that governs the terms under which the provider stores and serves the client's website on its servers. It defines service scope, uptime commitments, fees, data ownership, acceptable use, security responsibilities, liability limits, and what happens to the client's data when the contract ends. Without one, both parties rely on informal understandings that are difficult to enforce.
No law requires a formal hosting agreement, but operating without one exposes both the provider and the client to significant risk. For the provider, it means no contractual basis for the uptime disclaimer, liability cap, or acceptable use restrictions. For the client, there is no guaranteed SLA, no data-return obligation, and no defined remedy for downtime. A signed agreement protects both parties from the moment hosting begins.
99.9% monthly uptime is the industry standard for shared hosting and translates to approximately 43 minutes of allowed downtime per month. Mission-critical applications and dedicated servers typically warrant 99.99% uptime, which allows fewer than 5 minutes of downtime per month. The agreement should also specify how downtime is measured, what events are excluded (scheduled maintenance, client-caused outages, force majeure), and what service credits apply when the SLA is missed.
The client retains full ownership of all website content and data stored on the provider's servers. The hosting agreement should make this explicit and include a limited license granting the provider the right to cache, replicate, and transmit the content solely to deliver the hosting service. Without the limited license grant, the provider technically lacks permission to perform backup and CDN functions under copyright law.
A well-drafted hosting agreement requires the provider to make the client's data available for download for a defined period after termination — typically 15 to 30 days — before permanently deleting it. Clients subject to regulatory record-retention requirements should negotiate a longer window. Always download a full backup before initiating termination rather than relying on the provider's post-termination window.
A liability cap limits the provider's maximum financial exposure to the client — typically the fees paid in the prior 3 to 6 months. This means that even if a prolonged outage costs your business significantly more in lost revenue, the provider's contractual obligation is capped at that amount. Clients who need higher protection for mission-critical sites should negotiate a higher cap or carry their own business interruption insurance.
An acceptable use policy (AUP) is a list of prohibited content and activities — spam, malware, illegal content, copyright infringement — that the client agrees not to host on the provider's servers. It also grants the provider the right to suspend or remove violating content, in some cases immediately and without notice. AUP violations are one of the most common grounds for immediate contract termination in hosting arrangements.
Yes. The agreement can list multiple domains in a Schedule A, with each domain's storage and bandwidth allocation noted separately. This approach keeps the main contract clean while allowing the schedule to be amended as the client adds or removes sites without requiring a full contract re-execution. Agencies and resellers managing dozens of client sites should use a master hosting agreement with a domain-level schedule structure.
For standard shared or VPS hosting arrangements, a high-quality template is generally sufficient for most providers and clients. Consider engaging a lawyer when the arrangement involves dedicated infrastructure for a regulated industry (healthcare, finance), when the client requires HIPAA or PCI DSS compliance representations from the provider, when the annual contract value exceeds $10,000, or when the client is located in a jurisdiction with stringent data protection laws that require specific contractual language.
A web design agreement governs the one-time creation of a website — deliverables, revision rounds, IP ownership, and project timeline. A hosting agreement governs the ongoing service of keeping that site live, accessible, and maintained after launch. Many projects need both: the design agreement covers build; the hosting agreement covers run. Combining them in a single document blurs responsibility and complicates termination.
An IT services agreement covers a broad range of technology support — helpdesk, infrastructure management, software licensing, and network administration. A website hosting agreement is narrowly focused on server-based delivery of a specific website or application. Use the IT services agreement when the vendor manages your entire technology environment; use the hosting agreement when the engagement is limited to hosting a defined site.
A SaaS subscription agreement governs access to a software platform delivered over the internet — it covers licensing, feature access, user seats, and support tiers. A hosting agreement governs the server infrastructure on which a website or custom application runs. The key distinction is ownership: the SaaS client accesses someone else's software; the hosting client runs their own application on rented infrastructure.
A standalone SLA is an exhibit or addendum that defines measurable performance metrics — uptime percentage, response time, resolution time, and service credits — in technical detail. A hosting agreement is the governing contract that incorporates the SLA by reference. The SLA provides the metrics; the hosting agreement provides the legal framework, payment terms, liability limits, and termination rights that make those metrics enforceable.
SaaS providers hosting client-facing applications require enhanced uptime SLAs (99.99%), shared-responsibility security clauses, and explicit data-processing addenda for GDPR and CCPA compliance.
Hosting agreements for healthcare sites must incorporate HIPAA Business Associate Agreement language, define server-side encryption standards, and establish breach notification timelines aligned to the 60-day HIPAA deadline.
E-commerce hosting agreements need PCI DSS compliance representations from the provider, explicit uptime protections covering peak sales periods, and clear liability allocation for payment data breaches.
Law firms, accountants, and consultancies require confidentiality clauses covering client data stored on hosted sites, jurisdiction-specific data residency requirements, and audit-access rights for compliance purposes.
US hosting agreements are primarily governed by state contract law, with no single federal statute specifically regulating hosting services. The Computer Fraud and Abuse Act (CFAA) is relevant to security obligations and unauthorized access. California's CCPA imposes data-handling requirements on providers processing personal data of California residents regardless of the provider's location. Liability caps and consequential-damage disclaimers are generally enforceable but may be limited in consumer contracts under certain state consumer protection statutes.
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial privacy laws require hosting providers processing personal data of Canadian residents to implement appropriate safeguards and, in some provinces, report breaches within 72 hours. Quebec's Law 25 (effective 2023) imposes additional data residency and privacy impact assessment obligations. Limitation-of-liability clauses are generally enforceable in B2B hosting contracts but subject to reasonableness review in consumer arrangements.
Post-Brexit, UK hosting agreements are governed by the UK GDPR and the Data Protection Act 2018 for data involving UK residents. Providers acting as data processors must execute a Data Processing Agreement (DPA) alongside the hosting agreement. The Unfair Contract Terms Act 1977 and Consumer Rights Act 2015 restrict the enforceability of liability exclusions in consumer contracts. The UK's NIS Regulations also impose security and incident-reporting obligations on providers of certain digital services.
GDPR requires that any hosting agreement involving personal data of EU residents include a Data Processing Agreement meeting the requirements of GDPR Article 28, including specific sub-processor disclosure obligations. The EU's NIS2 Directive (effective October 2024) imposes security and incident-reporting requirements on digital infrastructure providers. Liability caps in consumer-facing contracts may be restricted by the Unfair Contract Terms Directive, and governing-law clauses cannot override mandatory EU consumer protection laws applicable in the consumer's country of residence.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Freelance developers and small hosting providers offering standard shared or VPS hosting to non-regulated clients | Free | 30 minutes |
| Template + legal review | Hosting providers with annual contract values above $5,000, multi-site agency arrangements, or clients in regulated industries | $300–$700 | 2–4 days |
| Custom drafted | Dedicated or cloud infrastructure providers, HIPAA or PCI DSS compliance requirements, or enterprise clients with negotiated SLA terms | $1,500–$5,000+ | 1–3 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Start free · No credit card required
