Frequently asked questions
Frequently Asked Questions About Shop Maintenance
From costs and SLA models to taking over existing projects: here you will find answers to the most important questions about our managed service for online shops and websites.
General Maintenance Questions
- What exactly is included in a maintenance contract? A maintenance contract bundles everything a shop needs on an ongoing basis for stable, secure operation. This includes regular security updates for core, plugins and server software with an upstream staging test, 24/7 uptime monitoring with active alerting, daily automatic backups with tested recovery, SSL certificate management and monthly or quarterly status reports. On top of that come binding response times per SLA and a dedicated contact person who knows your system. The specific scope is always tailored individually to your project: a high-revenue shop with payment integrations and seasonal load peaks needs a different setup than a content website. Across over 50 managed projects (own project experience), the combination of proactive updates, monitoring and tested backups has shown that most emergencies never arise in the first place. Which building blocks make sense for you is something we clarify in the initial consultation.
- Who benefits from a managed service contract? A maintenance contract is worthwhile for any company that treats its online shop or website as business-critical infrastructure. When downtime directly costs revenue, or an unnoticed security gap puts your customers' trust at risk, ongoing support is not optional but a basic requirement. Typical profiles are shop operators with meaningful online revenue, companies without their own IT department, and agencies wanting to reliably outsource the technical operation of their client projects. A managed service is especially valuable after a security incident or for an aging shop that ran without updates for a long time. Here the benefit shifts from pure reaction toward genuine prevention. Whether the effort pays off for your specific setup is something we assess honestly in the initial consultation or based on our services overview.
- Why should I not handle maintenance myself? Self-managed maintenance is fundamentally possible but requires continuous expertise in platform updates, newly disclosed vulnerabilities, plugin compatibility and server configuration. It also requires the necessary infrastructure: a real staging environment for testing, a monitoring system with alerting, and proven backup and recovery procedures. The real pitfall is rarely a single update but the chain of time pressure, a missing test and a plugin that breaks after the update. In practice, many shop operators underestimate exactly this ongoing effort and the short half-life of the knowledge involved. Professional maintenance shifts the risk to someone who runs these processes daily and frees up your internal resources for the core business. Which tasks you keep and which we take over can be divided flexibly, for instance through training for your team.
- Which systems do you support? Our core focus is on Shopware Community Edition and WordPress including common shop plugins. With Shopware, we deliberately work within the open-source CE, so you are not pushed into proprietary licensing models. With WordPress, we support both classic content websites and shop setups with the widely used extensions. Beyond that, we maintain the underlying server infrastructure: Linux systems, web servers, database servers and caching components. It is precisely this end-to-end view from the application down to the operating system that distinguishes real operational responsibility from simply clicking plugin updates. Which building blocks are relevant for your platform is visible in our services overview.
- Do you also offer maintenance for other shop systems? Our focus is clearly on Shopware CE and WordPress with shop plugins, because here we have the deepest operational experience and know update paths, typical failure patterns and plugin behavior in detail. For other platforms such as TYPO3 or further content management systems, we evaluate on a case-by-case basis whether meaningful support at the usual quality is possible. The deciding factor is less the name of the system than whether we can reliably map the update and security processes. Rather than making a promise we cannot keep, we look at your specific environment. Raise this during the initial consultation, and we will give you an honest assessment of feasibility.
- Can I book individual services without a contract? Yes, we offer many services as one-time projects without committing you to an ongoing contract. These include security audits, performance analyses, cleanup after a hack via our emergency support and server migrations. This is a good way to obtain a first objective condition report on your shop. For continuous operation, however, we recommend a maintenance contract, because many of the most valuable measures only work proactively: monitoring alerts before an outage, an update closes a gap before it is exploited. One-time services repair; a maintenance contract prevents. Which variant fits your situation is something we are happy to clarify in a non-binding conversation.
Pricing and Contract Models
- What does a maintenance contract cost per month? Monthly costs depend on three factors: the scope of managed systems (the number and complexity of shops or websites), the desired SLA tier (Basic, Business or Enterprise) and the estimated ongoing update workload. A single manageable WordPress shop naturally sits well below a complex Shopware setup with several payment integrations and tight response times. We deliberately work with clearly defined services rather than flat rates that quietly produce extra invoices when it matters: there are no hidden costs for standard services. We name specific terms after a brief initial analysis of your project, so the quote matches actual demand. A first orientation is available via our services overview or directly in the initial consultation.
- Is there a minimum contract duration? We recommend a minimum duration of six months. There is a practical reason: the onboarding with audit, cleanup of critical points and setup of staging and monitoring requires effort at the start, and the full benefit of a managed service only unfolds over several months once updates, reports and reviews settle into a rhythm. The exact duration and notice periods are agreed individually and transparently. After an initial phase, many clients opt for annual contracts with automatic renewal because it makes planning easier on both sides. Rigid lock-in contracts are not our goal; what counts is a viable, sustainable collaboration. We are happy to discuss the details via contact.
- Are emergency deployments included in the price? Within the agreed SLA, emergency deployments are included in the monthly flat rate. This covers first response within the committed timeframe, diagnosis and recovery for outages and security incidents. You therefore do not pay extra per incident, which avoids the usual argument about cost at exactly the wrong moment. To be distinguished from the included deployments are demanding special cases, such as the complete cleanup after a major hack with a compromised database, or a system migration. Such work may incur additional charges, but it is always calculated transparently in advance and coordinated with you. How the exact emergency process works is described on the emergency support page.
- Are there additional costs for updates? No. Regular security updates and maintenance work are included in the contract and are not billed separately. This applies to core updates, plugin and theme updates, and server-side updates, each including the upstream staging test and a ready rollback scenario. This predictability is precisely the point of a flat rate. To be distinguished from this is work that goes beyond pure maintenance: feature extensions, a genuine platform migration to a new major version, or extensive performance projects. We quote such undertakings separately so that your ongoing maintenance price stays stable and comprehensible and you know the scope and cost before any larger measure. Which updates fall into your contract is defined during onboarding.
- Can I change the SLA tier during the contract term? Yes, the contract is meant to grow with your requirements. An upgrade to a higher SLA tier is possible at any time, for example when your shop grows, gets more traffic, or the response times need to tighten. The upgrade usually takes effect without a long wait, since monitoring and processes are already established. A downgrade is possible at the next renewal date, so both sides retain planning certainty. Which tier is right for your current requirement profile depends mainly on how critical an outage is for your business and which response times you genuinely need. We advise you on this honestly and without pushing the most expensive option, in the initial consultation.
- How is billing handled? The maintenance flat rate is billed monthly by invoice with payment due within 14 days of invoicing. This keeps administrative effort low and makes ongoing costs easy to plan. You receive a proper invoice with VAT shown. For additional services outside the contract, a clear principle applies: we create a separate quote in advance, so you know the exact scope and costs before commissioning. There are no surprises at the end of the month. For questions about invoicing or individual billing models, for example for agencies with several client projects, we will find a suitable solution together; just reach out via contact.
SLAs and Response Times
- Which SLA tiers do you offer? We work with three graduated models so you do not pay for response times you do not need. The Basic SLA offers a first response within 8 hours on business days, 5-minute monitoring and monthly updates. The Business SLA shortens the first response to 4 hours on business days, checks every minute and applies updates weekly as needed. The Enterprise SLA is aimed at shops where every minute of downtime counts: first response within 45 minutes around the clock, 30-second monitoring and security patches within 24 hours. These tiers are a starting point and can be adapted. A more detailed description of the models can be found on our references page.
- What does first response specifically mean? First response means our technical team begins analyzing the problem within the committed timeframe and informs you of the status. You therefore know reliably that your request has been picked up, that someone is working on it, and what next steps are planned, instead of waiting in the dark. The important distinction: first response is not the same as a complete resolution. How long the actual fix takes depends on complexity, a known plugin issue is resolved faster than a deep-seated server fault. That is precisely why we measure response time as a binding commitment while communicating honestly about resolution time. How we measure and document this is part of our monitoring processes.
- Do response times also apply on weekends and holidays? Under the Enterprise SLA, response times apply 24/7, 365 days a year. This is the right choice for shops that also sell on weekends or around campaign days and where an outage on a Sunday evening is just as expensive as one on a Tuesday morning. Under the Business and Basic SLAs, response times relate to business days. Regardless of the chosen tier, however, the following applies: for critical security incidents, emergency escalation paths are available even under the Business SLA that extend beyond regular business hours. An actively exploited vulnerability does not wait until Monday. How emergency support escalates is described on the corresponding page.
- What happens if the SLA response time is not met? We take our SLA commitments seriously and document every response time without gaps, so that compliance remains verifiable and does not rest on mutual feeling. Should an SLA breach occur in an exceptional case, we analyze the cause, initiate countermeasures and communicate this openly with you rather than concealing it. The specific consequences of an SLA breach, such as credits or other arrangements, are agreed individually in the contract, so there is clarity from the start. For us, permanently eliminating the cause matters more than merely compensating an isolated case. This very transparency feeds into the monthly status report. Which arrangement makes sense for your project is something we discuss in the initial consultation.
- Can I customize the SLA parameters individually? Yes, the three SLA tiers are intended as a starting point, not a rigid corset. In practice, we frequently adapt the parameters to a client's specific reality: shorter response times for defined time windows, additional monitoring metrics beyond the standard checks, or extended availability for seasonal peak times. This flexibility is especially valuable for shops with pronounced seasonal business: before campaign days, monitoring can be intensified, while the standard setup is sufficient in quieter phases. This way you pay for what you actually need rather than continuously for the peak case. Which adjustments make sense for your monitoring is something we clarify concretely in the initial consultation.
- How do you measure SLA compliance? All incidents, response times and measures taken are logged in our system, so every commitment can be substantiated by real timestamps rather than estimates. This creates an objective basis for evaluating service quality. These SLA metrics feed into the monthly status report and are additionally discussed together in the quarterly review. This way you see not only that we keep our commitments but also where trends are emerging, such as recurring incidents around a particular plugin. This transparency is closely interlinked with our monitoring and gives you a realistic picture of your shop's condition at all times.
Migration and Takeover of Existing Projects
- Can you take over a shop built by another agency? Yes, taking over existing projects is one of our most common entry points. You need neither rebuild the shop nor switch to us as your developer to get professional maintenance. We begin with a technical audit in which we soberly assess the shop's condition, identify existing security gaps and outdated components, and derive a prioritized action plan from them. With externally developed shops that contain custom modifications, this inventory is decisive because it surfaces hidden dependencies before the first update is applied. After onboarding is complete, we assume full maintenance responsibility, including monitoring and security updates. We are happy to take the first step in a non-binding conversation.
- What happens during onboarding of an existing project? Onboarding follows a fixed sequence: a technical audit for the inventory, cleanup of critical issues, setup of staging environment and monitoring, creation of system documentation and finally the SLA agreement. This structured start ensures that we do not update a foreign system blindly but first truly understand it. The process typically takes two to four weeks depending on project complexity. This time is well invested, because the documentation and the monitoring we build up pay off across the entire contract period and later enable a seamless handover to a substitute technician. How the concrete transition into regular operation looks is coordinated individually; you can find the building blocks in our services overview.
- Do I need the source code or access from my previous agency? Ideally yes. For a clean takeover, we need access to the server (SSH), the database, the hosting panel and the CMS backend. If your previous agency developed custom plugins or individual modifications, access to the source code of these extensions is additionally very helpful, since otherwise we first have to reconstruct how they work. In reality, handovers are rarely complete, especially when the separation from the previous provider was not smooth. Should individual access be missing, we can find alternative paths in most cases, for example via the hosting provider or by analyzing the running system. Which documents are really necessary for your case and how we bridge gaps is something we clarify concretely in the initial consultation.
- What happens if my shop already has security issues? Then cleanup takes priority. In this case, onboarding begins with prioritized resolution of the acute security issues via our emergency support before we think about regular maintenance. A shop that is already compromised or has an open critical gap is not simply absorbed into the standard process. Only when the system is in a demonstrably stable and secure state, meaning cleaned, patched and monitored, does it transition to regular maintenance. We document the entire cleanup transparently and communicate the resulting costs in advance, so that you stay in control even in the stressful moment of an incident. How such an emergency unfolds is described on the emergency support page.
- Can I keep my hosting provider? In most cases yes. We work with common hosting providers and adapt our maintenance processes to the respective server environment instead of making a migration a condition. For many clients, it is an important argument not to have to touch an existing, working infrastructure without need. If the current hosting clearly does not fit the shop, however, for example due to chronic overload, missing backup options or outdated server software, we raise this openly and advise you on alternatives. Where needed, we handle the server migration as a one-time service, carefully planned and with a fallback option. What is sensible for your setup is something we assess during the audit; a first estimate is available in the initial consultation.
- How long does taking over an existing project take? Complete onboarding typically takes two to four weeks. During this time we run the audit, clean up critical points, set up staging and monitoring and create the system documentation. The range depends mainly on the complexity of the shop and the completeness of the handed-over access. In urgent cases, for example when the takeover happens directly after a security incident, we proceed in two stages: we implement the most critical measures within a few days via emergency support, while regular onboarding continues in parallel. This way no gap arises in which your shop is left unmonitored. We set the concrete timeline for your project after an initial review.
Technical Questions
- How often are backups created? The backup frequency depends on the SLA tier and therefore on the value of your data. Under the Basic SLA, we create daily full backups. Under the Business SLA, hourly incremental backups supplement the daily full backup, so in the worst case only one hour of orders would be affected. Under the Enterprise SLA, transaction logs are additionally maintained, enabling point-in-time recovery to almost any moment. What matters is not just that backups exist but that they work. We therefore regularly test all backups for actual recoverability, because a never-verified backup is often worthless in an emergency. How closely recovery in an emergency is interlinked with our emergency support is described there in more detail.
- How are updates applied? Every update goes through a fixed, multi-stage process. First we apply it to a staging environment, a copy of your live system. There, automated and manual tests verify the critical functions such as the ordering process, payment integrations and search before anything touches the production system. This is exactly where it becomes apparent whether a plugin breaks after the update, without your customers noticing. Only after successful tests is the update deployed to the live system during the agreed maintenance window, and a rollback scenario is ready for every deployment. This keeps the risk manageable even with unexpected side effects. This disciplined sequence is the core of our security updates and distinguishes them from risky updates applied directly in live operation.
- How quickly are security patches applied? With security patches, we prioritize by severity. Critical patches with a CVSS score of 9.0 or higher are applied within 24 hours, because here the window between disclosure and active exploitation is typically very short. For zero-day vulnerabilities with active exploits, we respond immediately and, if no official patch is yet available, deploy compensating controls such as targeted filter rules. Regular, less critical security updates are bundled into monthly to weekly maintenance windows depending on the SLA tier, each with an upstream staging test. This gradation ensures that acute threats are addressed immediately, while routine updates run in a controlled way without unnecessary interventions on the live system. The exact timeframes are part of your SLA.
- Do I receive reports about the state of my shop? Yes. Depending on the SLA tier, you receive monthly or quarterly status reports that comprehensibly summarize the condition of your shop. They contain uptime statistics, all updates performed, incidents that occurred along with their resolution, performance metrics and concrete optimization recommendations for the next phase. This makes maintenance tangible: you see in black and white what happened and what benefit the ongoing support delivered, instead of merely paying a flat rate. Under the Enterprise SLA, you additionally have access to a real-time dashboard through which you can view the current status at any time. The data basis for this is provided by our continuous monitoring.
- What happens if an update fails? We are prepared for an update failure rather than improvising. Before every update, we create a complete, tested backup and verify the update on staging beforehand. Should an update cause problems on the live system despite these tests, we perform a rollback to the last stable state within minutes. In parallel, post-update monitoring detects deviations early, often before end customers notice anything, by watching critical metrics such as response times and error rates right after deployment. This combination of tested backup, fast rollback and close observation is the reason why controlled security updates are considerably less risky than untested updates applied alone.
- Can you also improve the performance of my shop? Yes, performance optimization is a fixed component of our services. We analyze loading times systematically, identify the actual bottlenecks instead of optimizing blindly, and implement targeted measures: caching optimization, image compression, database tuning and a sensible CDN configuration. In a shop in particular, speed directly affects conversion and bounce rate. We make the results measurable via Core Web Vitals and concrete loading time metrics, so you do not have to believe an optimization but can see it in a before-and-after comparison. A noticeably improved loading time pays directly into the user experience. Performance can be a fixed part of the contract or run as a targeted one-time project; which is more sensible for you is something we clarify in the initial consultation.
Collaboration and Communication
- How does regular communication work? Communication follows a clear rhythm so that you neither stay in the dark nor get overloaded with detail. In regular operation, you receive monthly or quarterly status reports depending on the SLA tier, summarizing the condition of the shop, updates performed and monitoring results. During incidents, we leave this routine cadence and inform you immediately via the agreed channel, so you do not have to wait for the next report in an emergency. In addition, there are quarterly review meetings in which we jointly evaluate the results, plan optimization measures and discuss strategic questions. This keeps the collaboration from being merely reactive and lets it develop with foresight. How we set this up concretely is coordinated in the initial consultation.
- Do I have a dedicated contact person? Yes, every project has a dedicated contact person who knows your system in detail and is your first point of contact for all maintenance-related questions. This saves you from repeatedly explaining your setup and ensures decisions that account for the context of your shop, rather than coming anonymously from a queue. So that this personal support does not become a risk during vacation or illness, a second technician stands ready in case of absence and can step in seamlessly thanks to our standardized system documentation. This is exactly why we place so much value on complete documentation during onboarding. You can learn more about our team and way of working on the about page.
- Can we track maintenance work in our project management tool? Yes. On request, we integrate our maintenance work into your existing project management system, so that requests, incidents and measures appear where your team already works. This is especially practical for companies and agencies that do not want to spread their internal overview across several tools. If you do not yet have a suitable system or deliberately want to keep maintenance separate, we alternatively offer our own ticket system. There, all requests, incidents and measures performed are documented without gaps and are traceable at any time. Either way, this creates a complete, verifiable history of your support. Which variant fits your workflows is something we clarify in the initial consultation.
- How do you handle urgent requests outside business hours? This depends on the chosen SLA tier. Under the Enterprise SLA, we are available around the clock, which is the right choice for shops with continuous sales or high business criticality. Under the Business SLA, we offer extended availability until 8 PM on business days, so that evening traffic is not left unattended either. Regardless of the tier, an important exception applies: for critical security incidents, emergency escalation paths are available even under the Business SLA that extend beyond regular business hours. An actively exploited attack on the weekend is not deferred to the next business day. How escalation works in detail is described on the emergency support page.
- What happens if I am not satisfied with maintenance work performed? We take every piece of feedback seriously and treat it as an opportunity to improve the process. If maintenance work does not meet your expectations, we first analyze the cause, correct the specific problem, and then look at whether a process needs to be adjusted so that the same point does not recur. So that criticism is not only welcome in acute cases, feedback is a fixed component of the quarterly reviews. There we regularly discuss improvement requests and channel them into the ongoing collaboration in a structured way. An honest, open feedback culture is, for us, the foundation of long-term support. Fundamental concerns can also be raised with us directly via contact at any time.
- Can we adjust maintenance frequency seasonally? Yes, we deliberately adapt maintenance intensity to your business cycles instead of running the same cadence all year round. Before sales-intensive phases such as the holiday season or other campaign periods, we increase monitoring frequency, conduct preventive load tests and provision additional capacity, so that nothing stalls in your most important revenue window of all. In quieter phases, the focus shifts to strategic optimizations and infrastructure improvements that otherwise leave little room in day-to-day operations, such as performance fine-tuning or clearing out outdated components. This way we use the course of the year sensibly and direct the effort where it brings the greatest benefit. Which peak times are relevant for your shop is something we record in the initial consultation.
Long-Term Collaboration and Contract Development
- How does the maintenance contract develop over time? Most maintenance contracts evolve organically with the client's requirements rather than staying unchanged for years. When a shop grows and receives more traffic, we adjust the monitoring frequency and server capacity. When new features, plugins or payment integrations are added, we expand the maintenance scope accordingly, so no untested components run along unmonitored. So that these adjustments do not happen by chance, we discuss them in a structured way in the quarterly reviews: together we check whether the current SLA tier still fits, where effort is developing and which optimizations are due. This keeps the contract a living reflection of your actual needs. Which building blocks can be combined is shown in our services overview.
- What happens if I want to cancel the maintenance contract? Cancellation is possible at the end of the agreed term with the contractually defined notice period, without hidden hurdles. It matters to us that a separation runs just as professionally as the collaboration, because a poor handover would, in the end, mainly harm your shop. That is why, upon cancellation, we hand over all documented processes, credentials and runbooks to you or your new provider. The system documentation we created and maintained during the contract period remains fully with you and is not tied to us. Our goal is a clean handover that does not jeopardize the continued operation of your shop, rather than binding you to us through missing information. Questions about this we answer at any time via contact.
- Can you also help with the further development of my shop? Our core focus is deliberately on maintenance and stable operation, because that is where our daily strength lies. For major developments such as new features, a redesign or a genuine platform migration, we work closely with specialized developers instead of pretending to cover everything from a single source. The advantage for you lies in the transition: maintenance of newly developed functions is seamlessly incorporated into the existing contract, including tests on staging and inclusion in monitoring. This way nothing falls through between development and operation, which often happens with separate providers lacking a clear interface. If you are planning a development project, we are happy to coordinate the operational part; raise it in the initial consultation.
- Do you offer training for shop administration? Yes, on request we train your internal team, because a well-trained team and professional maintenance are not mutually exclusive but complementary. The training covers basic shop administration, the correct handling of security policies, recognizing suspicious activities, and the correct approach to updates and changes. The goal is a clear division of tasks: your team handles daily administrative work such as product upkeep or content independently and safely, while we take responsibility for technical maintenance, security updates and monitoring in the background. Awareness of security in day-to-day operations in particular, such as the handling of credentials, noticeably reduces risk. Which content makes sense for your team is something we coordinate individually.
- How do you handle data protection and confidentiality? Data protection and confidentiality are non-negotiable with external maintenance, because we have deep access to systems and potentially to customer data. We treat all information about your systems, business processes and data strictly confidentially. All credentials are stored encrypted and made accessible only to authorized team members. For the legal basis, we offer a data processing agreement per Art. 28 GDPR as standard and provide additional non-disclosure agreements on request. When the contract ends, all stored credentials are demonstrably deleted, so that no open access remains after the collaboration. This keeps the support GDPR-compliant throughout the entire lifecycle. We are happy to clarify any open questions about this personally via contact.
- Can I flexibly adjust the maintenance scope? Yes, the maintenance scope is deliberately not rigidly fixed, so that you do not pay for services you do not currently need and can still scale up quickly when required. Upgrades to a higher SLA tier are possible at any time, downgrades at the next renewal date, so both sides retain planning certainty. In addition, individual service components can be added on a one-off basis, for example a targeted performance optimization or extended security scans, without having to restructure the entire contract. This modular structure reflects the fact that requirements shift over time, sometimes seasonally, sometimes through growth. Which modules make sense for your current situation can be found in the services overview or discussed directly in the initial consultation.