73 percent (project experience) of all small and medium online shops operate without a professional maintenance contract (BITKOM, 2025). Operators update sporadically, only react when problems occur and hope nothing serious happens. This works -- until the first hack, the first data loss or the first multi-hour outage on a high-revenue day. A professional maintenance contract is not insurance against bad luck but a structured system that prevents problems before they arise. This guide shows what a good maintenance contract should include, which SLA tiers make sense and how to spot unreliable offers.
Core Services: What Every Maintenance Contract Must Cover
Regardless of SLA tier, certain services must be included in every professional maintenance contract. Security updates are the most important: known vulnerabilities in CMS, plugins and themes must be patched promptly -- critical patches within 72 hours, regular updates within two weeks. Regular updating is the single most effective measure against cyberattacks.
Backup management ensures that a current, tested backup is available in an emergency. Minimum standard is daily backups with 30-day retention and regular restore tests. Uptime monitoring detects outages in real-time and notifies the maintenance team. SSL management ensures certificates are renewed on time and TLS configuration stays current.
These four core services -- updates, backups, monitoring and SSL -- form the foundation. Without them, a maintenance contract is at best a support contract with response times. Professional maintenance goes beyond this foundation to include proactive measures for performance optimization, security hardening and continuous improvement.
Updates and Patches
Regular updating of CMS, plugins and themes. Critical security patches within 72 hours.
Backup Management
Daily backups with off-site storage, encryption and monthly restore tests.
Monitoring and Alerting
24/7 uptime monitoring with alerting chains and SLA tracking for transparent availability reports.
Security Management
WAF configuration, security headers, hardening and regular vulnerability scans.
Performance Optimization
Cache configuration, database optimization and Core Web Vitals monitoring.
Emergency Support
Defined response times for critical problems. Escalation chains for different severity levels.
SLA Tiers: Basic, Standard and Premium
Service Level Agreements define the scope and quality of maintenance services in measurable metrics. The Basic tier covers core services: security updates, weekly backups, uptime monitoring and SSL management. Response time for problems is 24 hours during business hours (Mon-Fri, 9am-5pm). The uptime target is 99.5 percent (maximum 3.6 hours downtime per month). This tier suits websites with low e-commerce activity.
The Standard tier extends service to include daily backups with off-site storage, complete update management (core and all plugins), performance optimization and security hardening. Response time shortens to 4 hours, service is available Mon-Sat from 8am-8pm, and the uptime target rises to 99.9 percent (maximum 43 minutes per month). This tier is the sweet spot for most online shops.
The Premium tier offers the most comprehensive protection: staging environment with regression tests for all updates, hourly database snapshots, 24/7 monitoring with emergency support, monthly security audits and prioritized response within 1 hour -- 365 days a year. The uptime target is 99.95 percent. This tier is recommended for shops with high revenue where every minute of downtime means direct revenue loss.
Understanding Response Times and Escalation
Response time does not mean resolution time. Response time defines how quickly a qualified technician begins working on a problem after it is reported -- not how quickly the problem is resolved. Reputable providers clearly distinguish between response time (e.g., 1 hour) and resolution time (e.g., 4 hours for critical problems). Be cautious of providers promising extremely short resolution times -- actual resolution time depends on problem complexity.
Professional maintenance contracts define severity levels with different response times: Critical (shop unreachable, data loss, security incident): fastest response, highest priority. High (partial outage, checkout error, performance degradation): shortened response, timely handling. Normal (display issues, non-critical function problems): standard response time. Low (optimization requests, configuration changes): scheduled handling in the next maintenance cycle.
Escalation is an important contract component: what happens when response time is exceeded? A professional contract defines escalation levels -- from first-level support through senior technician to team lead. Each escalation level has its own contact channels and responsibilities. Escalation ensures critical problems do not disappear into a support queue.
Pricing Models: Flat Rate vs. Hourly
Maintenance contracts come in two pricing models: monthly flat rate and hourly contingent. The flat rate covers all defined services at a fixed price -- regardless of how many updates are applied, problems solved or optimizations performed. The hourly contingent defines a number of hours per month available for maintenance work -- unused hours expire or carry over.
For most online shops, we recommend the monthly flat rate: it provides planning certainty, avoids billing surprises and creates no incentive to delay necessary work. With an hourly contingent, a complex update may exhaust the monthly quota, forcing necessary work to be postponed. The flat rate ensures all necessary measures are performed -- without discussion about effort.
The cost of a maintenance contract relative to costs without maintenance is compelling: according to Gartner (2025), one hour of unplanned e-commerce downtime costs an average of 5,600 euros. Cleaning up a hacked website costs 5,000 to 25,000 euros (project experience). A professional maintenance contract costs a fraction of this and prevents these costs proactively. The investment is typically five times cheaper than reactive problem resolution without a contract.
Contract Components in Detail: Technical Documentation
A professional maintenance contract fully documents the technical infrastructure. This starts with an inventory: which CMS in which version is deployed? Which plugins and extensions are installed? What server environment (operating system, PHP version, database) is in place? This documentation is the basis for all maintenance work -- without it, the maintenance team operates blindly. The inventory is created at contract signing and updated with every update.
The contract also defines communication channels and access rights. Who is the technical contact on the customer side? Through which channels are incidents reported -- ticket system, email, phone? Which server access (SSH, FTP, admin panel) does the maintenance team have? These points sound administrative but are critical: in an emergency, every minute counts, and unclear responsibilities delay response. A good maintenance contract settles these points upfront so immediate action is possible in emergencies.
Especially for online shops with third-party integrations -- payment providers, ERP systems, shipping services -- the maintenance contract must clearly delineate the interface scope. Is a checkout error caused by the shop system or the payment API? Who is responsible when ERP synchronization stops working after a plugin update? Professional contracts define maintenance boundaries (scope) and regulate collaboration with external service providers. Without this clarity, blame-shifting replaces problem-solving -- and the shop operator is caught in the middle.
Contract Comparison: What the Value Check Should Cover
When comparing different maintenance offers, a systematic look at actually included services is worthwhile. Some providers list many items but define no measurable quality criteria. A maintenance contract promising "regular updates" without defining frequency is worth less than one explicitly stating "security patches within 72 hours, regular updates weekly in staging, deployed to live after test approval". The level of detail in service descriptions is a reliable indicator of provider professionalism.
Another comparison point is the toolchain: which monitoring systems, backup solutions and security scanners does the provider use? Professional maintenance teams use established solutions for uptime monitoring, automated encrypted backups and regular vulnerability scans. The costs for this infrastructure are part of the maintenance price -- extremely cheap offers often cut corners on tools and therefore quality. Ask about the systems in use: a reputable provider has a clear answer.
Red Flags: Spotting Unreliable Providers
Not every maintenance contract delivers on its promises. Red flags indicating an unreliable provider: no defined response times or SLA metrics. No staging environment for updates (updates applied directly to live system). No backup restore tests (backups created but never tested). No documentation of work performed (customer does not know what was done).
Further warning signs: extremely low prices that cannot cover actual services -- professional maintenance requires qualified technicians and infrastructure. Long contract terms without termination option (reputable providers offer monthly or quarterly termination). No transparency about tools and processes used. And: no reporting on measures taken, problems detected and current security status.
A professional maintenance contract provides monthly reports with: updates performed (version, date), backup status and restore test results, availability statistics against SLA target, security issues detected and resolved, and performance metrics. This transparency enables the customer to evaluate the value of maintenance and make informed decisions about shop development.
What a Good Maintenance Report Must Include
Transparency is the most important quality indicator of a maintenance contract. A professional monthly maintenance report includes: updates performed with version numbers and dates, backup status including restore test results, availability statistics compared to the SLA target, security issues detected and resolved, performance metrics (load time, Core Web Vitals) and a recommendation list for the next period.
This report is more than an administrative obligation -- it documents the value of maintenance and enables informed decisions. When load time trends upward, a performance audit is recommended. When a specific interface's error rate increases, proactive countermeasures are taken. Without regular reporting, maintenance operates blindly. Professional maintenance delivers these reports automatically and supplements them with concrete action recommendations.
Contract Duration and Flexibility
Reputable maintenance providers offer flexible terms: monthly cancellation or quarterly notice period. Long minimum terms of 12 or 24 months are generally not in the customer's interest -- they create dependency without requiring the provider to perform better. A provider offering monthly cancellation trusts that the quality of their work convinces the customer.
Equally important is scalability: as the shop grows, the maintenance contract must be able to grow with it. More plugins, more traffic, higher revenue require more frequent updates, more capable backups and faster response times. A good provider offers a straightforward upgrade path between SLA tiers -- and the return path if requirements decrease.
A professional maintenance contract is the foundation for trouble-free operation of any online shop. It combines preventive measures with fast response to problems and gives the shop operator the confidence to focus on their core business. Choosing the right maintenance partner and the appropriate SLA tier is one of the most important infrastructure decisions for any e-commerce operation. The investment pays for itself through avoided outages, better performance and the certainty that experts have the technical operations under control.
Onboarding: The Startup Process of a Maintenance Contract
The onboarding process determines the quality of the entire maintenance relationship. In the first phase, the maintenance team creates a complete inventory: CMS version, installed plugins with version numbers, server configuration, active integrations and existing security measures. This documentation becomes the reference document for all subsequent maintenance work. In parallel, monitoring infrastructure is set up: uptime checks, performance baselines and alerting chains.
The second phase is the security baseline scan: are there known vulnerabilities in installed versions? Are security headers configured? Is TLS configuration current? Are file permissions correctly set? This initial scan immediately identifies items requiring action and defines priorities for the first maintenance weeks. Many shops have a significant maintenance backlog at contract signing -- onboarding is the structured process to reduce this backlog in a controlled manner without jeopardizing ongoing operations.
The third step is backup infrastructure setup: daily automatic backups with off-site storage, encryption and an initial restore test confirming recoverability. Only when all three phases are complete -- inventory, security baseline and backup infrastructure -- does regular maintenance operations begin. A reputable provider plans two to four weeks for onboarding and documents every step for the customer. Professional maintenance makes onboarding transparent and traceable.
Sources and Studies