What to look for in an IT contract

So you've decided to work with a third party IT support provider? Before signing with them, there are some key things you should look for in the contract. These will help give you a better sense of the level and type of support they provide.

The advice in this guide is geared towards an IT support contract for your basic environment (for example, workstations, servers, communications, networks, and general software). While much of this advice will also apply for support contracts for other services (including specialist software packages, your website, and cloud services) there will be differences and other things you will need to consider.

All IT support contracts - or Service Level Agreements (SLA) as they are sometimes called - will be different, depending on the level of support required. But every contract will set out both the provider's expectations of your practice as well as their responsibilities. sla

You won’t always be able to convince the provider to change some or any of the contact clauses. The advice in this guide will help you decide if the changes you want are so important that you will need to consider working with a different provider. 

You want a contract which clearly explains:

All of these are covered in detail below.

How long are we working together?

It should be clear:

  • when the contract starts and ends. Look out for automatic rollover clauses which automatically renew the initial contract unless you specifically ask to end it before a certain date
  • how the contract can be ended. Are the conditions for terminating the contract reasonable or onerous?

What you have to do to keep the contract running

Check for any conditions you have to fulfill and make sure you’re comfortable with them. These might include:

  • full payment by a specified date
  • problems with the system you need to fix before the contract will become valid
  • only making changes to your system if the provider approves them
  • having someone in your team who is responsible for looking after the provider (which usually precludes anyone else calling them when something goes wrong) – this person may do basic support themselves before calling the provider, keep the provider briefed and be available to help out if the provider is called out to your site
  • meeting minimum standards for security and continuity (such as doing backups, using anti-virus software and having an uninterruptable power supply for servers).

What it will cost and what you’ll get for your money

Make sure you know what you’re paying and what you get in return. There are various options and combinations of charging for support, including:

  • fixed fee for everything
  • base fee to guarantee priority support and/or a lower than standard hourly rate
  • fixed number of hours of support for a set fee. You then pay if extra work is needed over and above the agreed hours, or is outside the scope of support covered by the contract. The hourly rate is often reduced to reflect that you have a contract. If you are paying for a fixed number of hours, check whether you will be able to carry over any unused hours to the next month, quarter or year
  • flat fees for specific types of support (for example,  adding a new user, setting up a new PC or laptop).

What hardware is covered?

Make sure you know which equipment is covered by your contract. You may need a written list which you both agree on. Or there may be conditions, such as only using equipment your provider has supplied. They may cover everything but with caveats, such as not covering equipment older than a certain age.

PC hardware doesn’t actually fail that often, so you might want to leave PCs out of your contract and focus on items which do fail, such as servers and printers. If you do this, you’ll want a nominated hourly rate for PC repairs.

What software is covered?

Think about the software you use and want covered by the contract. Consider whether the provider has experience supporting the software. You would generally deal directly with the suppliers of specialist software (e.g. clinical software) for support rather than dealing with an IT support provider.

If you have servers, consider what software you are running on them: server operating systems, security software, databases, client management software, specialist software packages and so on.

Also make sure you’re aware what kind of software you are running on PCs and laptops: operating systems, security software, databases and word processing?


Just as a clinic depends on well trusted it is for healthcare provision, it also depends on how well trusted it is for handling security. Patient data (whether on paper or in a computer database) is sensitive, and must be kept secure and private.

This toolkit from the Australian Digital Health Agency has information, questions, and a template to help you assess the level of security the vendor provides: Toolkit for selecting secure IT products and services.

Are there limits on types of support?

Make sure you know what types of support are covered.

The contract should be clear about what services are being provided and what is excluded. Support services may include:

  • break/fix for hardware and/or software
  • replacing faulty equipment
  • ensuring software is patched and kept current
  • monitoring disk usage, security, network performance
  • regular housekeeping of servers – software patching, disk health and so on
  • setup and managing of the backup regimes
  • user support
  • user training
  • support for general queries;- by phone, email or an online portal
  • setting up new users
  • developing and/or maintaining the inventory of your technology assets, including regular status reporting.

Look for how support will be provided: by phone, remotely or by regular and/or ad hoc site visits.

The standard hours of support should be defined. Check whether out-of-hours support is provided and at what cost.

If you have staff working outside the office, check whether they will be supported and how.

How soon will they try to fix it?

Your contract should include commitments on response times for specific support requests. Server problems will generally require a more urgent response than PC problems. Four hours is common for failures that will put your core business out of action. Find out what it will cost if you need something dealt with more urgently than the contract specifies. As well as specifying response time, the contract may specify a target time to resolve support requests.

How do we request support and how will they respond?

Most providers have a specific procedure they want you to follow to log a support request, so make sure the procedure aligns with your needs and preferences. It may include who can make requests, during what hours, and what form the request must take.

The contract may also specify what form the response will take: it could be support over the phone or you may have to grant them access to control your PCs remotely. It may include expectations about how much time this will take, and how the problem will be escalated if that time limit expires or if the matter is urgent.

The process may run more smoothly if you make sure:

  • you have one contact person who deals consistently with the provider
  • the contract is clear on when escalation occurs and if it incurs additional costs
  • you’ve done what the contract requires you to do
  • you have clear and agreed logs – provided either by you or your provider – to make sure the status of issues and resolution is recorded. The issues logs give important information on which to base any discussions about provider performance. There may also be some recompense financially if issues have taken too long to resolve or remain unresolved.

What’s not covered?

Check the contract’s exclusions and make sure you are OK with them. Some things are often excluded from standard contracts, including:

  • site visits to set up new printers, computers, add new users to the network
  • support for non-standard software
  • support for old equipment
  • anything broken before the contract began 
  • upgrades
  • things that break because they’re misused or ‘altered’ by the client.

The contract may also specify that some things will invalidate the contract. Make sure you understand these things and think they’re reasonable.

Key contact (Account Manager)

The contract should specify who will be your key contact. They are often referred to as the Account Manager. This should be someone senior, ideally the business owner in a smaller provider. The Account Manager will be responsible for providing the regular activity reporting, be the key contact for escalation of issues and will be responsible for compliance with the support contact.

How do we resolve disputes?

Make sure the contract clearly lays out what happens if you have a complaint about the provider (or vice versa). This should include the procedure for making and resolving complaints, and for dealing with those that can’t be resolved (for example, by going to independent arbitration ).

Confidentiality agreement

Unless you already have a confidentiality agreement with the support provider, it is imperative that the contract includes confidentiality clauses.

Other things to consider

  • Support providers should have public liability and professional indemnity insurance.
  • Criteria should be set out making it clear the standard of work required & applicable.
  • Police checks may be needed for the support provider's staff, especially those who will be on site.
  • There should generally be a statement to the effect that the contract will be covered by Australian or NZ (or other relevant) law.
  • Feel free to ask the support provider to clarify anything you don’t understand and to get your lawyer to check the contract before you sign.
  • Advice from an independent IT professional - guiding you through the contact negotiation process - can be very helpful as they will know what questions to ask and can help you balance the risks.