Numerique

Website maintenance contract: the essential clauses

At a time when cyberattacks are multiplying and data protection regulations are tightening, the security of your website has become a major strategic issue.

Contents
Schedule a discussion

Reading time:

10 min

At a time when cyberattacks are multiplying and data protection regulations are tightening, the security of your website has become a major strategic issue.

In 2025, with the constant evolution of threats and the legal framework, your maintenance contract must necessarily include specific provisions relating to the GDPR and cybersecurity.

Discover the essential clauses that must appear in your contract to effectively protect your business and your users.

If you wish to engage a lawyer for a maintenance contract, contact me!

The evolution of the regulatory landscape in 2025

Since it came into force in May 2018, the General Data Protection Regulation (GDPR) has considerably transformed the European digital landscape. In 2025, this regulation has been further strengthened with the adoption of new European directives aimed at further harmonising practices and increasing penalties in the event of non-compliance.

The initial text of the GDPR has been supplemented by various case law and CNIL recommendations that have progressively clarified the obligations of businesses. The joint responsibility between the data controller (you) and the processor (your maintenance provider) is now much more strictly governed. The fines imposed have also increased, with an average of 2.5 million euros for serious infringements compared to 1.1 million in 2020.

At the same time, the NIS2 Directive (Network and Information Security), which came fully into force in October 2024, imposes stricter security requirements for many sectors of activity. It broadens the scope of the businesses concerned and strengthens security incident notification obligations.

These regulatory developments have a direct impact on the drafting of your website maintenance contract, which must now include specific clauses to ensure your compliance and protect you in the event of an incident.

The essential GDPR processing clauses

The first category of essential clauses concerns the processing of personal data. Since your maintenance provider has access to your entire infrastructure, it potentially has access to all the personal data collected via your website. The GDPR requires you to precisely govern this relationship.

Your contract must specify that the provider undertakes to process personal data solely for the purposes provided for by the maintenance contract. A purpose limitation clause must explicitly prohibit any use of the data for other purposes, particularly commercial ones.

An often-overlooked aspect concerns the record of processing activities. Your contract must provide for the obligation for the provider to document all of its interventions involving access to personal data. This documentation must include the nature of the intervention, its duration, the people who took part in it and the data concerned.

International data transfers constitute a particularly sensitive point since the invalidation of the Privacy Shield. If your provider is likely to involve teams located outside the European Union, updated standard contractual clauses (SCCs) must be appended to the contract, accompanied by a specific impact assessment demonstrating the equivalence of the level of protection.

The notification of data breaches must be the subject of a detailed clause requiring the provider to inform you within a maximum of 24 hours after the discovery of a potential or established security breach. This clause must provide for the minimum information to be provided and a procedure for jointly managing the incident. A CNIL-specialised lawyer can assist you in drafting these essential clauses.

Let's discuss your needs for 15 min!

The cybersecurity guarantees to require from your provider

Beyond purely GDPR aspects, your contract must include solid guarantees regarding cybersecurity. With cyberattacks having increased by 230% since 2020, these provisions are now as important as financial or service-level clauses.

A clause detailing the technical and organisational security measures implemented by the provider is essential. It must cover at a minimum the encryption of sensitive data, the management of privileged access, the logging of actions, backup and restoration procedures, as well as intrusion detection mechanisms.

Security monitoring must be the subject of precise commitments. Your provider must undertake to actively monitor intrusion attempts, analyse event logs and deploy anomaly detection tools. A specific clause should provide for periodic reports on the security status of your infrastructure.

The management of security updates constitutes a critical and often-overlooked point. Your contract must specify the maximum timeframes for applying patches according to their criticality: for example, 24 hours for critical vulnerabilities, 72 hours for major flaws and 7 days for minor problems.

Strong authentication for all access to your infrastructure must be explicitly required. The acceptable methods must be defined (two-factor authentication, client certificates, etc.) and any exceptions strictly governed. An immediate access revocation procedure must also be provided for in the event of the departure of one of the provider's staff members.

Regular penetration testing now constitutes an implicit obligation of any serious maintenance contract. Their frequency (at least annual, ideally semi-annual), their scope and the qualifications of the testers must be specified. The contract must provide for the delivery of a detailed report and a remediation plan after each test.

The allocation of responsibilities in the event of an incident

A well-drafted contract must clearly define who is responsible for what in the event of a security incident or data breach. This allocation of responsibilities is essential to avoid conflicts and ensure a rapid and effective response.

The liability clause must distinguish between different scenarios: a security breach due to a maintenance failure, an attack exploiting a known but uncorrected vulnerability, human error during an intervention, etc. For each case, the contract must specify who assumes primary responsibility and to what extent.

The compensation caps must be adapted to the actual risks. Liability limitations that are too restrictive are increasingly contested by the courts, especially when gross negligence on the part of the provider is established. A balance must be struck between protecting the provider and adequately covering your risks.

The crisis management procedure must be formalised in the contract. It must include the contact details of the people to reach 24/7, the composition of a joint crisis unit, the guaranteed response times and the allocation of tasks between your teams and those of the provider.

The provider's assistance obligations in the event of a regulatory investigation must be explicitly provided for. If the CNIL conducts an inspection following an incident, your provider must undertake to provide you with all the necessary information and to fully cooperate with the authorities. The support of a CNIL lawyer is valuable for anticipating these situations.

The reinforced confidentiality clauses

The confidentiality of the information to which your provider has access must be the subject of specific provisions, beyond standard clauses. In 2025, leaks of confidential data represent a major risk to the reputation and competitiveness of businesses.

The contract must provide a precise definition of confidential information that includes not only user data, but also your analytics data, your marketing strategies, your future developments and any other sensitive information accessible via your infrastructure. The expertise of a lawyer specialised in software and database law is useful for precisely defining these scopes.

A non-use clause must prohibit the provider from exploiting your data for the purpose of improving its own services or developing competing solutions, even in an anonymised or aggregated manner, unless explicitly authorised by you.

The confidentiality commitments must be extended to all of the provider's staff members working on your infrastructure. The contract must provide for the obligation for the provider to have its employees and subcontractors sign individual confidentiality agreements, with the possibility for you to obtain a copy on request.

The duration of the confidentiality obligations must exceed that of the contract itself. A period of 3 to 5 years after the end of the contract is generally considered reasonable for most information, but certain particularly sensitive data may justify perpetual protection.

I want reliable legal documents!

A model GDPR compliance clause for your contract

To help you incorporate these elements into your contract, here is an example of a complete clause relating to GDPR compliance. This clause can serve as a basis for your discussion with a lawyer specialised in digital law who will adapt it to your specific situation:

"The Provider, as a processor within the meaning of the GDPR, undertakes to implement all appropriate technical and organisational measures to guarantee a level of security adapted to the risks associated with the processing of the personal data accessible in the context of the maintenance services. These measures include in particular the encryption of sensitive data, the limitation of access to only those persons necessary for the performance of the services, the complete logging of interventions, and the strong authentication of all parties involved.

The Provider undertakes to notify the Client of any personal data breach within a maximum of 24 hours after becoming aware of it. This notification will be accompanied by all relevant documentation in order to allow the Client, if necessary, to notify this breach to the competent supervisory authority and to the data subjects.

The Provider will assist the Client in carrying out data protection impact assessments and in the prior consultation of the supervisory authority where required. It will keep an up-to-date record of the processing activities carried out on behalf of the Client and will make this record available on simple request.

The Provider guarantees that the persons authorised to process personal data undertake to respect confidentiality and receive the necessary training in the protection of personal data. It undertakes not to subcontract all or part of the services involving access to personal data without the prior written authorisation of the Client."

Incorporating these clauses into an overall cybersecurity strategy

To be fully effective, the GDPR and cybersecurity clauses of your maintenance contract must be part of a broader strategy for securing your digital presence. This overall approach comprises several complementary dimensions.

The training of your teams in good security practices is essential. They must understand the issues at stake with the GDPR, know how to identify potential risks and be familiar with the procedures to follow in the event of an incident. This training must be renewed regularly to take account of regulatory and technological developments.

A business continuity plan (BCP) must be developed in collaboration with your maintenance provider. This plan defines the procedures to follow in the event of a major incident in order to minimise the impact on your business and ensure a rapid resumption of your online services.

A robust backup policy must complement your maintenance contract. It must specify the frequency of backups, their scope, regular restoration tests and the guaranteed timeframes for returning to service in the event of a disaster.

Independent security and GDPR compliance audits must be carried out periodically to verify the effectiveness of the measures in place and identify any gaps in your protection system.

Towards proactive security and lasting compliance

In 2025, the protection of your website can no longer be limited to a reactive approach consisting of correcting problems once they have occurred. A proactive strategy, formalised in a complete and precise maintenance contract, is essential to face current and future challenges.

GDPR compliance and cybersecurity are not one-off objectives to be achieved, but continuous processes that require constant vigilance and permanent adaptation to regulatory and technological developments. Your maintenance contract must reflect this reality by providing for mechanisms for regular review of the measures and procedures.

Investing in a robust maintenance contract incorporating the essential clauses regarding the GDPR and cybersecurity is not only a legal obligation, it is also a factor of trust for your clients and partners. In a context where security incidents regularly make the headlines, demonstrating your commitment to data protection can constitute a significant competitive advantage.

The success of your digital security strategy rests on a balance between technical protection, legal compliance and the adoption of good practices by all of your staff. Your maintenance contract is the cornerstone, the document that formalises your requirements and guarantees their effective implementation by your provider.

To learn more

What essential clauses should a website maintenance contract include?

A maintenance contract must define the scope of the services, the service levels, the response times, security, backups, confidentiality and the conditions for termination. In 2025, it must also incorporate specific provisions relating to the GDPR and cybersecurity.

Why incorporate the GDPR into a maintenance contract?

When the maintenance provider accesses personal data, the contract must incorporate GDPR clauses governing this processing. With the strengthening of the regulation, these provisions have become indispensable to protect the business and its users and to ensure compliance.

Should cybersecurity feature in the maintenance contract?

Yes. Faced with the multiplication of cyberattacks, the maintenance contract must provide for cybersecurity provisions: updates, monitoring, protection measures and response to incidents. These clauses have become essential to effectively secure the website and the business.

Why is maintenance a strategic issue in 2025?

With the multiplication of cyberattacks and the strengthening of regulations, the security of the website has become a strategic issue. The maintenance contract must follow this evolution by incorporating up-to-date provisions on the GDPR and cybersecurity to protect the business.

Has the regulatory framework for maintenance evolved?

Yes. Since it came into force in 2018, the GDPR has transformed the digital landscape and has been further strengthened, with new European directives harmonising practices and increasing penalties. The maintenance contract must reflect this strengthened regulatory framework.

Should service levels be defined in the maintenance contract?

Yes. The contract must specify the expected service levels: availability, response times, frequency of operations. This clear definition avoids disputes over what is covered and guarantees a level of maintenance adapted to the needs of the business.

What should the contract provide for in the event of a cyberattack?

The contract must provide for the provider's obligations regarding the prevention, detection and response to security incidents, as well as the allocation of responsibilities. These clauses allow for a coordinated response in the event of a cyberattack and limit the consequences for the business.

Is a lawyer useful for a maintenance contract?

A lawyer helps to draft a complete and up-to-date maintenance contract, incorporating the GDPR and cybersecurity clauses, the service levels and the allocation of responsibilities. This support protects the business and its users against current risks.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

7 min

Real estate agent: the rules of the profession
The profession of real estate agent plays a crucial role in the property sector, acting as an indispensable intermediary between buyers, sellers and tenants. To ensure the security of transactions and the protection of consumers, strict regulations govern this prof

3 min

Website maintenance contract by a lawyer - Romain Mirabile
In an increasingly connected world, maintaining a functional and secure website is essential for any business or digital professional. This is why a website maintenance contract is of paramount importance. In this article, we will explain what such a contract consists

7 min

Drafting and adding your privacy policy to your Shopify website
Find out how a robust privacy policy for your Shopify website can protect your personal information, strengthen your online security and ensure worry-free browsing: everything you need to know is here!

7 min

How to recover your domain name?
Losing a domain name can be a real problem, especially when it is essential to your online business. Whether following a missed renewal, a fraudulent transfer or cybersquatting, there are several ways to recover your domain name. This process can

6 min

Drafting a Cookie Policy - FAQ
How do you draft a cookie policy?

11 min

Custom software development: the key contractual elements to protect your investment
The development of custom software represents a major strategic investment for a company. Beyond the financial aspects, it is a project that mobilises considerable internal resources and can profoundly transform business processes.
Prendre rendez-vous
Book an appointment