What to Include in Your IT Support Contract

An IT support contract is one of the most important agreements your business will ever sign, yet many UK organisations rush through the process, accepting boilerplate terms without truly understanding what they are committing to — or what they are missing. The consequences of a poorly drafted IT support contract range from slow response times and unexpected invoices to catastrophic gaps in coverage during a cyber incident or hardware failure.

Whether you are a growing SME in Manchester looking for your first managed service provider, or an established business in London renegotiating an existing agreement, understanding exactly what should be in your IT support contract is essential. This guide walks you through every critical clause, metric, and consideration to ensure your contract genuinely protects your business and delivers the value you expect.

At its core, an IT support contract defines the relationship between your organisation and your technology partner. It sets expectations, establishes accountability, and provides a framework for resolving disputes. Without a comprehensive contract, you are relying on goodwill — and goodwill rarely survives a crisis.

Service Level Agreements: The Heart of Your Contract

The Service Level Agreement — commonly known as the SLA — is the single most important section of any IT support contract. It defines the measurable standards your provider must meet, the consequences of failing to meet them, and the metrics used to track performance. Without a robust SLA, your contract is little more than a statement of intent.

A well-drafted SLA should specify response times, resolution times, availability guarantees, and escalation procedures for every category of issue your business might face. Response time is how quickly your provider acknowledges a support request, while resolution time is how quickly they actually fix the problem. These are fundamentally different metrics, and many contracts only specify the former — leaving resolution time entirely open-ended.

Priority Levels and Response Times

Your SLA should define clear priority levels based on the severity and business impact of each issue. A typical four-tier structure works well for most UK SMEs, though larger organisations may require additional granularity.

Ensure your contract specifies whether response and resolution times are measured in business hours or calendar hours. For critical issues, you want calendar hours — a server failure at 6pm on a Friday should not wait until 9am Monday for a response. For lower-priority issues, business hours are generally acceptable.

Uptime Guarantees and Availability SLAs

Beyond response and resolution times, your SLA should include clear uptime guarantees for the systems your provider manages. Uptime is typically expressed as a percentage — 99.9 per cent availability, for example, equates to approximately 8.76 hours of permitted downtime per year. Whilst 99.9 per cent sounds impressive, it still allows for nearly nine hours of outage annually, which could encompass an entire business day. For critical systems, you may wish to negotiate 99.95 or 99.99 per cent availability, though these tiers typically come at a premium and require redundant infrastructure to deliver reliably.

Ensure the contract specifies how uptime is measured and reported. Some providers measure uptime only during business hours, which flatters their statistics by excluding overnight and weekend periods when monitoring may be less rigorous. Others exclude scheduled maintenance windows from their uptime calculations, which can significantly inflate the reported figure. The most transparent approach is to measure uptime across all hours, with scheduled maintenance windows clearly communicated in advance and capped at a defined number of hours per month. Your provider should furnish monthly uptime reports as part of their standard reporting obligations.

The contract should also address what happens when uptime guarantees are missed. Service credits — typically calculated as a percentage reduction in the following month's invoice — are the standard remedy. A common structure offers five per cent credit for each 0.1 per cent below the guaranteed uptime, capped at a maximum credit of 25 to 30 per cent of the monthly fee. Whilst service credits rarely compensate for the true business impact of downtime, they provide a financial incentive for the provider to maintain high availability and a mechanism for holding them accountable when standards slip.

Scope of Services: What Is and Is Not Covered

Ambiguity over scope is the most common source of disputes between businesses and their IT providers. Your contract must clearly delineate what is included in the fixed monthly fee and what constitutes additional chargeable work. Without this clarity, you will inevitably face unexpected invoices for work you assumed was covered.

At a minimum, your IT support contract should cover the following core services: remote helpdesk support for all users, proactive monitoring of servers, workstations, and network devices, patch management and software updates, backup management and verification, antivirus and endpoint security management, user account administration including starters and leavers, and vendor liaison for third-party software and hardware issues.

Common Exclusions to Watch For

Equally important is understanding what your contract does not cover. Common exclusions that catch businesses off guard include on-site visits (often charged separately per visit or per hour), project work such as office moves, server migrations, or new system implementations, hardware procurement and replacement, third-party application support beyond basic troubleshooting, and out-of-hours support outside the standard Monday-to-Friday window.

Pricing Models: Per User, Per Device, or Flat Fee

The pricing model determines how your monthly cost is calculated and how it scales as your business grows. There are three primary pricing models used by UK managed service providers, each with distinct advantages and disadvantages.

The per-user model charges a fixed monthly fee for each employee covered by the contract, regardless of how many devices that user has. This is the most popular model for modern businesses because it accommodates the reality that most employees now use multiple devices — a laptop, a mobile phone, and perhaps a tablet. A typical per-user rate for UK SMEs ranges from £60 to £120 per user per month, depending on the scope of services included.

The per-device model charges based on the number of devices under management. This can be more economical for businesses where employees use only a single device each, but it becomes expensive and complex to manage when device counts fluctuate. Rates typically range from £15 to £40 per device per month.

The flat-fee model provides a single monthly price covering the entire organisation. This offers maximum budget predictability but requires careful scoping — if your business grows significantly, the provider may seek to renegotiate, and if it shrinks, you may be overpaying.

Managing Scope Changes During the Contract

Your business will change during the lifetime of an IT support contract — new employees join, others leave, offices are opened or closed, and new applications are adopted. Your contract must include a clear mechanism for adjusting scope without requiring a complete renegotiation. This typically takes the form of a change request process, where either party can propose a modification to the scope of services, along with an assessment of the cost impact and a streamlined approval process.

Pay particular attention to how your provider handles scope changes that fall into grey areas. If you deploy a new cloud application and expect your IT provider to support it, is that automatically included under your existing contract, or does it constitute a scope extension? If you hire ten additional employees, does the per-user cost remain the same, or do volume thresholds trigger a different pricing tier? Addressing these scenarios explicitly in the contract prevents awkward conversations and unexpected invoices down the line.

Security and Compliance Obligations

Your IT support contract must explicitly address your provider's obligations regarding cyber security and regulatory compliance. In the UK, this means alignment with GDPR, the Data Protection Act 2018, and where applicable, sector-specific regulations such as FCA requirements for financial services or NHS Digital standards for healthcare.

The contract should specify the security controls your provider will implement and maintain, including endpoint protection, email filtering, firewall management, vulnerability scanning, and incident response procedures. It should also clarify who holds responsibility for data breaches — both in terms of notification obligations under GDPR (which requires the ICO to be informed within 72 hours of becoming aware of a qualifying breach) and in terms of financial liability.

If your business requires Cyber Essentials or Cyber Essentials Plus certification, your contract should oblige your provider to maintain the technical controls necessary to achieve and retain this certification. Many UK government contracts now require Cyber Essentials as a minimum, making this an increasingly important contractual requirement.

Incident Response and Breach Notification Clauses

Your IT support contract should include a dedicated section on incident response — the procedures your provider will follow when a security breach, ransomware attack, or other cyber incident occurs. This section should define the provider's role in the incident response process, including initial containment, investigation, eradication, recovery, and post-incident review. It should specify communication protocols — who will be notified, how quickly, and through which channels — and establish clear lines of authority for decision-making during an incident.

Under UK GDPR, your organisation is required to notify the ICO within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. Your contract should oblige your IT provider to notify you of any suspected breach immediately — not within 72 hours, but as soon as the breach is detected — to give you sufficient time to assess the situation and comply with your own notification obligations. The contract should also specify the provider's obligations regarding forensic evidence preservation, as destroying or overwriting evidence during remediation can compromise subsequent regulatory investigations and insurance claims.

Data Ownership and Exit Provisions

One of the most frequently overlooked aspects of an IT support contract is what happens when the relationship ends. Whether you switch providers, bring IT in-house, or your business circumstances change, you need clear provisions governing data ownership, transition assistance, and the handover process.

Your contract should unambiguously state that all data, configurations, documentation, and intellectual property relating to your IT environment remain your property at all times. The provider should be contractually obligated to return or securely destroy all your data upon termination, and to provide reasonable transition assistance to your new provider — typically for a period of 30 to 90 days.

Pay particular attention to any clauses regarding proprietary tools or configurations that your provider installs on your systems. Some providers use proprietary monitoring agents, security tools, or management platforms that are removed when the contract ends, potentially leaving gaps in your security and monitoring capabilities during transition.

Reporting and Service Reviews

A good IT support contract includes regular reporting and periodic service reviews that give you visibility into what your provider is actually doing and how well they are performing against their SLA commitments. Without this transparency, you have no way of assessing whether you are getting value for money.

Monthly reports should cover: the number of support tickets raised and resolved, SLA compliance percentages for each priority level, system uptime statistics, security incidents and responses, patch compliance rates across your estate, and backup success and failure rates. These reports should be accompanied by a regular service review meeting — typically quarterly — where you discuss performance, upcoming projects, strategic recommendations, and any concerns from either side.

Transition Planning and Knowledge Transfer

Effective transitions between IT providers require more than simply handing over passwords. Your contract should mandate that your provider maintains comprehensive, up-to-date documentation of your entire IT environment throughout the contract term — not just at the point of exit. This documentation should include network diagrams, server configurations, software licence details, user access policies, backup schedules, and any bespoke configurations or integrations specific to your setup. If documentation is only created at exit, it is invariably rushed, incomplete, and missing the institutional knowledge that accumulates over years of managing your environment.

The contract should also address knowledge transfer sessions during the transition period. Your outgoing provider should be required to brief your incoming provider on the specifics of your environment, including known issues, workarounds, pending projects, and any recurring problems that require particular attention. These sessions should be scheduled, documented, and signed off by all parties to ensure nothing is lost in the handover. A well-managed transition typically takes 30 to 60 days and should overlap with the incoming provider's onboarding period, allowing both providers to operate in parallel during the changeover.

Insurance and Liability

Your contract should specify the insurance your IT provider carries, including professional indemnity insurance, public liability insurance, and cyber liability insurance. Professional indemnity insurance protects you if your provider's negligence or errors cause your business financial loss — for example, if a misconfigured backup means your data cannot be recovered after a ransomware attack.

The contract should also define liability caps and exclusions. Most providers cap their total liability at the value of the contract over a 12-month period, though this can be negotiated. Pay attention to exclusions — particularly around consequential losses, which include lost revenue and lost business opportunities resulting from IT failures. Many providers exclude consequential losses entirely, which can leave you significantly exposed if a major failure occurs.

Negotiating Liability Terms

Liability clauses are among the most heavily negotiated sections of any IT support contract, and with good reason. The standard provider position — capping liability at the annual contract value and excluding consequential losses entirely — may be commercially reasonable for routine support services but is wholly inadequate for situations where provider negligence leads to a significant data breach or prolonged outage. Your negotiating position should aim for liability caps that reflect the actual risk exposure, not merely the contract value.

Consider negotiating a tiered liability structure that distinguishes between routine service failures and gross negligence or wilful misconduct. For routine SLA breaches, a liability cap of one to two times the annual contract value is standard. For breaches resulting from gross negligence — such as failing to apply a critical security patch that was known to be exploited, or misconfiguring a backup system such that data is permanently lost — the liability cap should be significantly higher, reflecting the true potential impact on your business. Some organisations negotiate uncapped liability for data protection breaches specifically, recognising that the regulatory and reputational consequences of a data breach far exceed any contractual fee.

Contract Duration and Renewal Terms

IT support contracts in the UK typically run for 12, 24, or 36 months. Shorter contracts offer more flexibility but may come with higher monthly fees. Longer contracts often secure better rates but lock you in for an extended period.

Be cautious of automatic renewal clauses. Many contracts include a provision that the agreement automatically renews for a further term unless you provide written notice before the expiry date — often 60 or 90 days in advance. Missing this window can commit you to another year or more with a provider you want to leave. Set calendar reminders well in advance of your renewal date to ensure you have time to review, renegotiate, or switch providers if needed.

Your contract should allow for annual price reviews, but these should be capped — typically at RPI (Retail Prices Index) or a fixed percentage — to prevent unexpected cost increases. Uncapped annual increases give your provider free rein to raise prices, knowing that the switching costs make it difficult for you to leave mid-contract.

Break Clauses and Performance Triggers

Even the most carefully negotiated contract may not deliver the results you expect. Your contract should include performance-based break clauses that allow you to terminate the agreement without penalty if the provider consistently fails to meet their SLA commitments. A common approach is to define a threshold — for example, if the provider fails to meet their SLA targets in three consecutive months, or in four out of any six consecutive months — that triggers the right to terminate with a shortened notice period, typically 30 days rather than the standard 60 or 90.

Material breach clauses should also be clearly defined. A material breach is a failure so significant that it undermines the fundamental purpose of the contract — for example, a complete failure to maintain backups, a refusal to respond to a critical incident, or a breach of confidentiality obligations. The contract should specify that material breaches entitle you to immediate termination without penalty, subject to a reasonable cure period of typically 14 to 30 days for breaches that are capable of being remedied. For breaches that are not capable of remedy — such as a confidentiality violation — the right to immediate termination should apply without a cure period.

Key Questions to Ask Before Signing

Before committing to any IT support contract, ensure you have satisfactory answers to these critical questions: What exactly is included in the monthly fee, and what incurs additional charges? What are the guaranteed response and resolution times for each priority level, and what happens if they are missed? Who owns the data, documentation, and configurations created during the contract? What is the exit process, and what assistance is provided during transition? What insurance does the provider carry, and what are the liability limits? How often will performance be reported and reviewed? What happens if the business grows or shrinks significantly during the contract term? Are there any penalties for early termination after the minimum period?

Taking the time to negotiate a thorough, balanced IT support contract is one of the best investments your business can make. It sets the foundation for a productive partnership, prevents misunderstandings, and ensures your technology is supported to the standard your business requires.