At a time when cyber-attacks are on the increase and data protection regulations are tightening, the security of your website has become a major strategic issue.
In 2025, with threats and the legal framework constantly evolving, your maintenance contract must imperatively incorporate specific provisions relating to the RGPD and cybersecurity.
Discover the essential clauses that must be included in your contract to effectively protect your company and your users.
If you need a maintenance contract lawyer, contact me!
The changing regulatory landscape in 2025
Since its implementation in May 2018, the General Data Protection Regulation (GDPR) has considerably transformed the European digital landscape. In 2025, this regulation has been further strengthened with the adoption of new European directives aimed at further harmonizing practices and increasing penalties for non-compliance.
The initial text of the RGPD has been supplemented by various case law and recommendations from the CNIL, which have gradually clarified companies' obligations. The joint responsibility between the data controller (you) and the processor (your maintenance provider) is now much more framed. The fines imposed have also increased, with an average of 2.5 million euros for serious infringements, compared with 1.1 million in 2020.
At the same time, the NIS2 (Network and Information Security) Directive, which comes fully into force in October 2024, imposes stricter security requirements for many business sectors. It broadens the scope of companies concerned and strengthens security incident reporting obligations.
These regulatory changes have a direct impact on the wording of your website maintenance contract, which must now include specific clauses to ensure compliance and protect you in the event of an incident.
Essential RGPD subcontracting clauses
The first category of essential clauses concerns the outsourcing of personal data. As your maintenance provider has access to your entire infrastructure, it potentially has access to all the personal data collected via your site. The RGPD requires you to frame this relationship precisely.
Your contract must specify that the service provider undertakes to process personal data solely for the purposes specified in the maintenance contract. A purpose limitation clause must explicitly prohibit any use of the data for other purposes, in particular commercial purposes.
One aspect that is often overlooked is the register of processing activities. Your contract should include an obligation for the service provider to document all interventions involving access to personal data. This documentation must include the nature of the intervention, its duration, the people involved and the data concerned.
International data transfers are a particularly sensitive issue since the invalidation of the Privacy Shield. If your service provider is likely to involve teams located outside the European Union, updated standard contractual clauses (SCCs) must be appended to the contract, accompanied by a specific impact analysis demonstrating the equivalence of the level of protection.
Data breach notification must be covered by a detailed clause requiring the service provider to inform you within a maximum of 24 hours of the discovery of a potential or actual security breach. This clause must specify the minimum information to be provided and a procedure for joint management of the incident.
The cybersecurity guarantees you need from your service provider
Beyond the purely RGPD aspects, your contract must include solid cybersecurity guarantees. With cyberattacks having increased by 230% since 2020, these provisions are now as important as financial or service level clauses.
A clause detailing the technical and organizational security measures implemented by the service provider is essential. At a minimum, it must cover encryption of sensitive data, management of privileged access, logging of actions, backup and restore procedures, and intrusion detection mechanisms.
Security monitoring must be subject to precise commitments. Your service provider must commit to actively monitoring intrusion attempts, analyzing event logs and deploying anomaly detection tools. A specific clause should provide for periodic reports on the security status of your infrastructure.
The management of security updates is a critical point that is often overlooked. Your contract should specify maximum timeframes for the application of patches according to their criticality: for example, 24 hours for critical vulnerabilities, 72 hours for major flaws and 7 days for minor problems.
Strong authentication for all accesses to your infrastructure must be explicitly required. Acceptable methods must be defined (two-factor authentication, client certificates, etc.), and any exceptions strictly defined. A procedure for immediate revocation of access should also be provided for in the event of a service provider's employee leaving the company.
Regular penetration testing is now an implicit obligation of all serious maintenance contracts. Their frequency (at least once a year, ideally every six months), their scope and the qualifications of the testers must be specified. The contract must include a detailed report and remediation plan after each test.
Allocating responsibility in the event of an incident
A well-drafted contract must clearly define who is responsible for what in the event of a security incident or data breach. This division of responsibilities is essential to avoid conflicts and ensure a rapid, effective response.
The liability clause must distinguish between different scenarios: a security flaw due to a maintenance fault, an attack exploiting a known but uncorrected vulnerability, human error during an intervention, and so on. In each case, the contract must specify who bears primary responsibility, and to what extent.
Compensation ceilings must be adapted to actual risks. Limitations of liability that are too restrictive are increasingly being challenged by the courts, especially when gross negligence on the part of the provider is established. A balance must be struck between protecting the service provider and adequately covering your risks.
The crisis management procedure must be formalized in the contract. It should include 24/7 contact details, the composition of a joint crisis unit, guaranteed response times and the division of tasks between your teams and those of the service provider.
Obligations to provide assistance in the event of a regulatory investigation must be explicitly stipulated. If the CNIL carries out an inspection following an incident, your service provider must undertake to provide you with all necessary information and to cooperate fully with the authorities.
Reinforced confidentiality clauses
The confidentiality of the information to which your service provider has access must be the subject of specific provisions, over and above the standard clauses. In 2025, confidential data leaks represent a major risk to a company's reputation and competitiveness.
The contract must include a precise definition of confidential information, including not only user data, but also your analysis data, marketing strategies, future developments and any other sensitive information accessible via your infrastructure.
A non-use clause must prohibit the service provider from using your data to improve its own services or to develop competing solutions, even in anonymized or aggregated form, unless you have given your explicit consent.
Confidentiality commitments must be extended to all the service provider's employees working on your infrastructure. The contract must require the service provider to sign individual confidentiality agreements with its employees and subcontractors, with the possibility for you to obtain a copy on request.
The duration of confidentiality obligations must exceed that of the contract itself. A period of 3 to 5 years after the end of the contract is generally considered reasonable for most information, but some particularly sensitive data may warrant perpetual protection.
A model RGPD compliance clause for your contract
To help you incorporate these elements into your contract, here's an example of a complete clause relating to RGPD compliance. This clause can serve as a basis for your discussion with a legal expert, who will adapt it to your specific situation:
"The Service Provider, as a subcontractor within the meaning of the RGPD, undertakes to implement all appropriate technical and organizational measures to guarantee a level of security appropriate to the risks associated with the processing of personal data accessible as part of maintenance services. These measures include, in particular, encryption of sensitive data, minimization of access to only those persons required to perform the services, full logging of interventions, and strong authentication of all those involved.
The Service Provider undertakes to notify the Customer of any personal data breach within 24 hours of becoming aware of it. This notification will be accompanied by any useful documentation to enable the Customer, if necessary, to notify the relevant supervisory authority and the persons concerned.
The Service Provider will assist the Customer in carrying out impact analyses relating to data protection and in prior consultation with the supervisory authority where this is required. The Service Provider will keep an up-to-date register of processing activities carried out on behalf of the Customer, and will make this register available on request.
The Service Provider guarantees that the persons authorized to process personal data undertake to respect confidentiality and receive the necessary training in the protection of personal data. It undertakes not to subcontract all or part of the services involving access to personal data without the Customer's prior written authorization."
Integrate these clauses into an overall cybersecurity strategy
To be fully effective, the RGPD and cybersecurity clauses in your maintenance contract must form part of a broader strategy to secure your digital presence. This comprehensive approach encompasses several complementary dimensions.
Training your teams in good security practices is essential. They must understand what is at stake in the RGPD, know how to identify potential risks and know the procedures to follow in the event of an incident. This training must be renewed regularly to take account of regulatory and technological developments.
A business continuity plan (BCP) must be drawn up in collaboration with your maintenance provider. This plan defines the procedures to be followed in the event of a major incident, to minimize the impact on your business and ensure rapid resumption of your online services.
A robust backup policy should complement your maintenance contract. It should specify the frequency of backups, their scope, regular restoration tests and guaranteed recovery times in the event of a disaster.
Independent security and RGPD compliance audits should be carried out periodically to verify the effectiveness of the measures in place and identify any gaps in your protection arrangements.
Towards proactive safety and sustainable compliance
In 2025, protecting your website can no longer be confined to a reactive approach that involves correcting problems once they've occurred. A proactive strategy, formalized in a comprehensive and precise maintenance contract, is essential to meet current and future challenges.
RGPD compliance and cybersecurity are not one-off objectives to be achieved, but ongoing processes that require constant vigilance and ongoing adaptation to regulatory and technological developments. Your maintenance contract must reflect this reality by providing mechanisms for regular review of measures and procedures.
Investing in a robust maintenance contract incorporating essential RGPD and cybersecurity clauses is not only a legal obligation, it's also a confidence-building factor for your customers and partners. In a context where security incidents regularly hit the headlines, demonstrating your commitment to data protection can be a significant competitive advantage.
The success of your digital security strategy depends on a balance between technical protection, legal compliance and the adoption of best practices by all your employees. Your maintenance contract is the cornerstone, the document that formalizes your requirements and guarantees their effective implementation by your service provider.
