色花堂

A hosting agreement is a contract between a hosting service provider and a client for the provision of server space, bandwidth, and associated infrastructure to host the client's website, applications, or data. Under English law it is a contract for services, with terms implied by the Supply of Goods and Services Act 1982, including that the service will be provided with reasonable care and skill and within a reasonable time.

Where the hosting provider processes personal data on behalf of the client, UK GDPR Article 28 requires a written Data Processing Agreement specifying the nature and purpose of the processing, the types of personal data involved, the obligations of the processor, and the client's rights to audit and instruct. The hosting agreement should incorporate or attach a compliant DPA, as operating without one exposes both parties to regulatory action by the ICO.

The Online Safety Act 2023 requires in-scope hosting providers to carry out illegal content risk assessments, take proportionate steps to prevent the presence of priority illegal content, and fulfil duties of transparency and accountability. Larger platforms face additional requirements for legal but harmful content. Ofcom has powers to issue compliance notices and financial penalties, which can reach up to 10% of qualifying worldwide revenue.

In business-to-business hosting agreements, liability for downtime can be limited or excluded subject to the reasonableness test under the Unfair Contract Terms Act 1977. Service level agreements (SLAs) typically define uptime guarantees (commonly 99.9% or 99.99%) and specify remedies such as service credits for failures. Exclusions of liability for consequential loss (lost revenue, lost data) are common and generally enforceable in commercial contracts if clearly drafted.

A well-drafted hosting agreement should cover the services provided and SLA commitments, acceptable use policy, payment terms, data processing obligations under UK GDPR, confidentiality, intellectual property ownership, limitation of liability, termination rights, data portability and deletion on termination, and governing law. A clear acceptable use policy helps the provider suspend or terminate services lawfully where the client breaches it.

The Electronic Commerce (EC Directive) Regulations 2002 provide hosting providers with a safe harbour from liability for illegal third-party content if they did not have actual knowledge of it and, on gaining such knowledge, acted expeditiously to remove or disable access to it. The Online Safety Act 2023 supplements this with proactive risk management duties, particularly for large platforms. Failure to act on notice of illegal content removes the safe harbour protection.

Under English law the client retains ownership of intellectual property in content they upload to the hosted environment. The hosting provider should have only a limited licence to use that content for the purpose of delivering the hosting services. The agreement should expressly confirm this ownership position and restrict the provider from using client data for any purpose beyond service delivery, particularly where the data includes personal data protected by UK GDPR.

On termination, the provider should give the client a reasonable period to export or migrate their data before deletion. The agreement should specify the data portability format, the notice period for deletion, and any costs associated with migration assistance. Under UK GDPR, personal data must be deleted or returned to the controller on termination of the processing relationship, and the processor must certify deletion if requested.