Numerique

Website maintenance contract: costly mistakes to avoid

Signing a website maintenance contract is essential. However, many companies make mistakes.

Contents
Schedule a discussion

Reading time:

8 min

Signing a website maintenance contract is essential. However, many companies make mistakes.

Your website is now the showcase of your business, an essential commercial tool and sometimes even your main sales channel. Its availability and proper functioning are therefore crucial. Statistics show that a service interruption of just a few hours can lead to considerable financial losses, ranging from a few hundred to several thousand euros depending on your sector of activity.

This is why signing a maintenance contract tailored to your needs proves essential.

However, many companies make mistakes when drafting these contracts, mistakes that can prove particularly costly in the long run.

If you wish to engage a lawyer for a maintenance contract, contact me!

An imprecise definition of service levels (SLAs)

The first major mistake concerns the expected service levels, which are often defined too vaguely. An effective contract must clearly specify the response times in the event of a failure, distinguish between the different types of incidents according to their severity, and specify the maximum resolution times for each. For example, a critical incident rendering your site inaccessible should benefit from a response within 1 to 2 hours maximum, whereas a minor problem affecting only the appearance of a non-essential element can tolerate a longer timeframe.

Without these elements precisely defined, you expose yourself to situations where your site remains inaccessible for hours, or even days, with no real means of leverage over your provider. The financial penalties associated with failure to meet these deadlines should also be clearly stated to ensure optimal responsiveness. A progressive formula is often recommended: for example, a 5% reduction on the monthly invoice for each hour exceeding the contractual deadline for a critical incident.

A recent study conducted among 500 French companies revealed that 67% of them had suffered significant financial losses as a result of prolonged unavailability of their site, even though they had a maintenance contract. The analysis showed that in 83% of cases, the absence of a precise SLA was the cause.

The absence of clauses relating to data protection

In the post-GDPR era we now live in, neglecting the aspects relating to the protection of personal data in your maintenance contract can expose you to considerable penalties. Your maintenance provider regularly accesses your backend and therefore potentially the sensitive data of your customers or users.

The contract must imperatively specify the confidentiality measures imposed, the secure access procedures, and above all the respective responsibilities in the event of a data breach. It is essential to provide for clauses detailing how access is controlled, logged and supervised. Mechanisms such as two-factor authentication should be expressly required for any access to your production environment.

In addition, your contract should include a clear procedure in the event of a data leak, specifying the notification deadlines (maximum 72 hours under the GDPR), the responsibilities of each party and the corrective measures to be implemented. Consult Mirabile Avocat to ensure adequate legal coverage in the face of GDPR requirements. A well-drafted website maintenance contract prepared with the help of a specialist will save you from fines that can reach 4% of your annual turnover or 20 million euros, whichever is higher.

The CNIL has recently stepped up its audits and penalties: in 2024, more than 250 companies were penalised for failures relating to data security, with an average fine of 75,000 euros. In several cases, the unsecured access of maintenance providers was directly at issue.

Let's discuss your needs for 15 min!

A poor definition of the maintenance scope

The scope of intervention is a frequent source of disputes between companies and providers. A vague definition of what falls under routine maintenance or under specific developments billable separately invariably leads to tensions and unexpected invoices.

A well-drafted contract clearly distinguishes between corrective maintenance (fixing existing bugs), preventive maintenance (security updates, regular backups, monitoring) and evolutionary maintenance (adding new features, performance optimisations). Each type of intervention should be associated with a specific billing method: a monthly flat fee for the first two types, and billing by time spent or by fixed price for upgrades.

It is also crucial to specify the technologies covered by the contract. For example, if your site uses WordPress with specific plugins, the contract must explicitly state whether problems related to these third-party plugins are included in the package or whether they are subject to separate billing. The same applies to integrations with external systems such as payment gateways or CRMs.

Without this clarification, you risk paying twice for services you thought were included in your initial package, or worse, finding that certain essential interventions are not carried out because they are considered out of scope by your provider. An audit carried out by the law firm Mirabile revealed that 41% of disputes relating to IT maintenance contracts concerned disagreements over the scope of intervention.

Overlooking reversibility and transfer clauses

Many companies neglect to include reversibility clauses in their maintenance contracts. This mistake can prove particularly problematic when you wish to change providers or bring the management of your site back in-house.

Without clear provisions concerning the handover of source code, the technical documentation, the deployment procedures and the access to the various environments, you risk finding yourself prisoner of your current supplier or facing exorbitant costs to migrate to a new solution. A well-drafted contract must provide for a detailed transfer process, including a transition period during which the former and the new provider collaborate, with precise milestones and clearly identified deliverables.

The intellectual property of the specific developments carried out during the maintenance period must also be explicitly assigned in the contract to avoid any subsequent dispute. Ideally, you should own all the developments carried out on your behalf, including the scripts, modules or extensions created specifically for your site.

A recent case perfectly illustrates this risk: a cosmetics company wished to change providers after three years of collaboration. In the absence of a reversibility clause, it was charged more than 40,000 euros for access to the source code and to the documentation needed to migrate its e-commerce site, whereas its initial transfer budget was 15,000 euros.

I want reliable legal documents!

Insufficient guarantees regarding cybersecurity

The final mistake, and not the least, concerns the security guarantees. With the constant increase in cyberattacks (more than 400% since 2019 according to the latest reports), your contract must imperatively provide for specific provisions concerning vulnerability management, regular penetration testing and incident response procedures.

The implementation deadlines for critical security patches must be particularly short and contractually guaranteed. For example, a critical vulnerability in a CMS such as WordPress should be patched within 24 to 48 hours of the publication of the official fix. Failing to include firm commitments on the updating of components (CMS, plugins, libraries) exposes your site and your customers' data to major risks for which you could be held liable.

Your contract should also specify the frequency of security audits (at least annual) and penetration tests (ideally biannual), as well as the corrective measures to be implemented following these checks. A detailed report should be provided to you after each audit, accompanied by an action plan to remedy the identified vulnerabilities.

The consequences of a security breach can be disastrous: according to a study by the French National Agency for Information Systems Security (ANSSI), the average cost of a cyberattack for a French SME amounts to around 50,000 euros, not counting the reputational damage that can be far more significant. In 60% of cases, the attacked sites had known vulnerabilities that could have been corrected by adequate preventive maintenance.

An instructive case study

To illustrate the importance of these points, consider the case of an online retail company that suffered an attack in 2024. Its site, generating a monthly turnover of 120,000 euros, was unavailable for three days following an SQL injection that could have been avoided by a simple security update. The maintenance contract did not specify any deadline for the application of security patches, and the company was unable to obtain any compensation despite an estimated loss of more than 12,000 euros in direct sales. In addition, the associated data breach resulted in a 50,000 euro fine from the CNIL for breach of the obligation to secure personal data.

Protect your digital business with a tailor-made contract

Drafting an effective maintenance contract requires both technical and legal expertise. The mistakes mentioned above can each lead to significant financial consequences, ranging from simple overbilling to loss of business in the event of prolonged unavailability of your site, or even administrative penalties in the event of non-compliance with the GDPR. A well-drafted contract is not only legal protection but also a clear framework for collaboration that will foster a relationship of trust with your provider and ensure the longevity of your online presence. The investment in legal support for the drafting of your maintenance contract is minimal compared to the financial and reputational risks you incur in the event of a failure.

To learn more

What mistakes should be avoided in a website maintenance contract?

Common mistakes include an imprecise definition of service levels, the absence of clauses on security and the GDPR, a vague scope, poor management of backups and the absence of reversibility. These mistakes can prove particularly costly in the long run.

Why is a maintenance contract essential?

The website is the showcase of the business and sometimes its main sales channel. An interruption of a few hours can lead to considerable financial losses. A suitable maintenance contract ensures the availability and proper functioning of the site, which makes it essential.

Why precisely define service levels (SLAs)?

An imprecise definition of service levels is one of the first mistakes. The contract must specify the availability, the response times and the scope covered. Without a clear SLA, the company exposes itself to disputes and to insufficient coverage in the event of a problem.

What is the cost of a service interruption?

Statistics show that an interruption of a few hours can lead to losses ranging from a few hundred to several thousand euros depending on the sector. This risk justifies a precise maintenance contract, ensuring response times tailored to the criticality of the site.

Should security be provided for in the maintenance contract?

Yes. The absence of clauses on security and the GDPR is a common and costly mistake. The contract must frame the security measures, the updates and the management of personal data, in order to protect the company and its users.

Why properly define the scope of the maintenance?

A vague scope leads to misunderstandings about what is covered or not, a source of disputes and additional costs. The contract must precisely list the services included and excluded, so that the company knows exactly what it can expect from the provider.

Should backups be provided for in the maintenance contract?

Yes. The management of backups is an essential point that is often overlooked. The contract must specify the frequency of backups, their storage and the restoration procedures. Poor management exposes the company to a loss of data that is difficult to repair.

Is a lawyer useful to avoid these mistakes?

A lawyer helps to draft a precise maintenance contract, with clear SLAs, security and GDPR clauses, a defined scope and backup management. This support avoids costly mistakes and protects the company over the long term.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

15 min

Domain name and trademark: legal strategies for comprehensive protection
In today's digital ecosystem, protecting a company's commercial identity relies on a careful interplay between different intellectual property rights. Among these, the trademark and the domain name hold a leading position, forming the cornerstones of the

8 min

IT service contracts: 7 pitfalls that can cost your company dearly
IT service contracts often conceal pitfalls that can lead to considerable consequences.

6 min

New return and refund rules: how to stay compliant?
The rules governing product returns and refunds represent a crucial issue for e-merchants, given their impact on customer relations and the need for compliance with applicable legislation.

6 min

Domain name or trademark: which prevails in the event of a dispute?
Domain names and trademarks, though legally distinct, are often a source of conflict and may give rise to disputes—so which one prevails?

5 min

DORA Lawyer - Cybersecurity
The European regulation on digital operational resilience for the financial sector, also known as the “DORA Regulation” (Digital Operational Resilience Act), is a European Union initiative aimed at strengthening the digital resilience of financial sector players.

6 min

Acceptance report & software: signing the acceptance report does not release the provider from liability
In the field of service contracts, the question of releasing the provider from liability is of paramount importance, particularly where an unconditional acceptance report is involved. This situation raises questions as to the legal scope of that document and as to the obli
Prendre rendez-vous
Book an appointment