IT Support Agreement (UK)
IT SUPPORT AGREEMENT
This IT Support Agreement (the "Agreement") is entered into on [Agreement Date] between:
(1) [Provider Name], of [Provider Address] (the "Provider"); and
(2) [Client Name], of [Client Address] (the "Client").
SERVICES
1.1 With effect from [Start Date], the Provider shall provide the following IT support services (the "Services") to the Client for approximately [Number of Users] users:
[Services Description]
1.2 The Services shall cover the following systems and infrastructure: [Supported Systems]
1.3 Helpdesk and remote support shall be available during [Support Hours]. On-site support shall be available by arrangement.
1.4 The Provider shall carry out the Services with reasonable care and skill in accordance with section 13 of the Supply of Goods and Services Act 1982.
SERVICE LEVEL AGREEMENT
2.1 The Provider shall use reasonable endeavours to respond to incidents within the following target times from receipt of notification, measured during supported hours:
- Priority 1 (Critical — total failure or confirmed security breach): initial response [P1 Response Time]
- Priority 2 (High — significant service degradation): initial response [P2 Response Time]
- Priority 3 (Medium — minor fault, workaround available): initial response [P3 Response Time]
- Priority 4 (Low — general enquiry or non-urgent request): initial response [P4 Response Time]
2.2 Response time targets are measured during supported hours only. The Provider shall notify the Client promptly if it is unable to meet a response target.
2.3 Priority levels shall be assigned by the Provider in good faith based on the impact and urgency of each reported incident.
FEES AND PAYMENT
3.1 The Client shall pay the Provider a monthly support fee of £[Monthly Fee] (plus VAT), invoiced monthly in advance.
3.2 Work falling outside the agreed scope of Services shall be charged at £[Out-of-Scope Rate] per hour (plus VAT), subject to prior written authorisation by the Client.
3.3 Invoices are due for payment within 30 days of the invoice date. Interest on overdue amounts shall accrue in accordance with the Late Payment of Commercial Debts (Interest) Act 1998.
DATA PROTECTION
4.1 The Parties acknowledge that, in performing the Services, the Provider may act as a data processor processing personal data on behalf of the Client as data controller, within the meaning of the UK GDPR and the Data Protection Act 2018.
4.2 The Provider shall: (a) only process personal data in accordance with the Client's documented instructions; (b) ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations; (c) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk; (d) not engage sub-processors without the Client's prior written consent; (e) assist the Client in fulfilling its obligations in relation to data subject rights requests, security obligations, and data breach notifications under the UK GDPR; and (f) at the Client's election, delete or return all personal data at the end of the Agreement.
4.3 The Provider shall notify the Client without undue delay upon becoming aware of a personal data breach affecting the Client's data, in accordance with Article 33 UK GDPR.
TERM AND TERMINATION
5.1 This Agreement shall commence on [Start Date] and shall continue for an initial term of [Initial Term], unless terminated earlier in accordance with this clause.
5.2 Either Party may terminate this Agreement by giving not less than [Notice Period] written notice, to expire at the end of the Initial Term or any renewal period.
5.3 Either Party may terminate immediately upon written notice if the other commits a material breach and fails to remedy it within 30 days of written notice, or becomes insolvent.
5.4 Upon termination, the Provider shall return all Client data and documentation within 30 days and shall provide reasonable transition assistance to enable the Client to migrate to a replacement provider.
LIABILITY
6.1 Nothing in this Agreement excludes liability for death or personal injury caused by negligence, fraud, or any liability that cannot be limited by law.
6.2 Subject to clause 6.1, the Provider's total aggregate liability shall not exceed the total fees paid by the Client in the twelve months preceding the claim.
6.3 Neither Party shall be liable for indirect, consequential, or special losses, including loss of data, loss of profit, or business interruption.
GENERAL
7.1 This Agreement is governed by the laws of England and Wales.
7.2 The Contracts (Rights of Third Parties) Act 1999 shall not apply to this Agreement.
7.3 No variation shall be effective unless in writing and signed by both Parties.
SIGNED by the duly authorised representatives of the Parties:
PROVIDER
Signed: ____________________________
For and on behalf of: [Provider Name]
Date: ____________________________
CLIENT
Signed: ____________________________
For and on behalf of: [Client Name]
Date: ____________________________
Provider
________________
Signature
Date: ________________
Client
________________
Signature
Date: ________________
What Is a IT Support Agreement (UK)?
An IT Support Agreement in the United Kingdom sets the service levels, data-handling duties, fees, and liability terms under which the technology or platform is supplied, and takes its legal force from the Companies Act 2006.
Modern businesses are fundamentally dependent on their IT infrastructure. A well-drafted IT Support Agreement confirms that the client's systems are maintained and supported to agreed standards, that incidents are resolved within defined timeframes, and that the commercial and legal relationship between the client and the IT provider is clearly structured. The agreement typically covers helpdesk support, remote and on-site assistance, system monitoring, security patch management, backup management, hardware and software procurement, and project-based work.
Service level agreements (SLAs) are a central feature of any IT Support Agreement. SLAs define the expected standard of service delivery — including response times, resolution targets, and system availability metrics — and provide the client with a contractual remedy (typically in the form of service credits) if the provider falls below the agreed standard.
Data protection is another critical dimension of IT support relationships. IT support providers routinely access client systems that contain personal data — employee records, customer databases, financial information, and other sensitive data. Under Article 28 of the UK GDPR, this access must be governed by a binding written data processing agreement. The IT Support Agreement (or an accompanying data processing addendum) must include the mandatory provisions required by UK GDPR to make the arrangement lawful.
Our UK IT Support Agreement template covers all the essential elements — scope of services, SLAs, data protection, security obligations, fees, liability limitations, and termination — in a clear, professionally structured format.
The legal framework governing the IT Support Agreement (UK) in United Kingdom draws on several key statutes and regulatory bodies. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. The Competition and Markets Authority (CMA) enforces the Consumer Rights Act 2015. The Financial Conduct Authority (FCA) regulates financial services under the Financial Services and Markets Act 2000. The High Court of Justice has jurisdiction under the Senior Courts Act 1981. Parties executing a IT Support Agreement (UK) in United Kingdom should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies Act 2006 sets the foundational requirements.
When Do You Need a IT Support Agreement (UK)?
An IT Support Agreement is needed whenever a business engages an external IT service provider to manage, maintain, or support its IT systems on an ongoing basis. This includes engaging a managed service provider (MSP) to manage the company's entire IT infrastructure; retaining an IT consultancy to provide helpdesk support and system administration; contracting with a cybersecurity company to monitor the company's network and respond to security incidents; or engaging a specialist provider to manage a specific IT system (such as a cloud platform, ERP system, or telephony infrastructure).
An IT Support Agreement is also needed when the terms of an existing informal IT support relationship need to be formalised — for example, when a business has been relying on an IT provider on an ad-hoc basis and now wishes to put in place a structured retainer arrangement with agreed SLAs.
From a data protection perspective, any business that engages an IT support provider that will have access to systems containing personal data is required by Article 28 UK GDPR to confirm that the arrangement is governed by a written data processing agreement. The ICO (Information Commissioner's Office) can issue enforcement notices and significant fines for failure to have appropriate data processing agreements in place. An IT Support Agreement with a compliant data processing addendum satisfies this obligation.
For small and medium-sized businesses in particular, an IT Support Agreement provides critical protection: it confirms that the client knows exactly what services they are receiving, what response times they can expect, and what will happen if the provider fails to deliver. It also provides the client with certainty about costs and an exit mechanism if the relationship breaks down.
Parties in United Kingdom should prepare a IT Support Agreement (UK) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. The Competition and Markets Authority (CMA) enforces the Consumer Rights Act 2015. The Financial Conduct Authority (FCA) regulates financial services under the Financial Services and Markets Act 2000. The High Court of Justice has jurisdiction under the Senior Courts Act 1981. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your IT Support Agreement (UK)
A thorough UK IT Support Agreement should contain the following key elements.
Scope of services: A precise description of the IT systems, infrastructure, and applications covered by the agreement; the types of support included (helpdesk, remote support, on-site visits, monitoring, patch management, backup management); any hardware or software covered; and explicit exclusions.
Supported hours: The hours during which support is available, including whether any 24/7 or out-of-hours support is provided and at what additional cost.
Service levels: The SLA framework, including priority categories, response time targets, resolution time targets, and the service credit regime that applies if targets are missed.
Data protection: A compliant UK GDPR data processing addendum or equivalent provisions, covering the basis of processing, the categories of data to be processed, the technical and organisational security measures in place, sub-processor obligations, data subject rights assistance, data breach notification, and data return/deletion on termination.
Security obligations: The provider's specific cybersecurity obligations, including patch management, access control, incident response, and any certification requirements (such as Cyber Essentials).
Fees and payment: The fee structure (fixed monthly fee, time and materials, or consumption-based), the invoicing frequency, payment terms, and the process for approving and pricing out-of-scope work.
Liability: Appropriate caps and exclusions on liability, subject to UCTA 1977 compliance.
Term and termination: The initial term, renewal provisions, the notice period required, and the transition obligations upon termination (including data return, knowledge transfer, and reasonable transition assistance).
Additional compliance elements for a IT Support Agreement (UK) used in United Kingdom include: Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. The Competition and Markets Authority (CMA) enforces the Consumer Rights Act 2015. The Financial Conduct Authority (FCA) regulates financial services under the Financial Services and Markets Act 2000. The High Court of Justice has jurisdiction under the Senior Courts Act 1981. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). IT Support Agreement (UK) (United Kingdom) [Legal document template]. Forms Legal. https://forms-legal.com/uk/business/contracts/it-support-agreement-uk
"IT Support Agreement (UK) (United Kingdom)." Forms Legal, 2026, https://forms-legal.com/uk/business/contracts/it-support-agreement-uk.
@misc{formslegal-it-support-agreement-uk,
author = {{Forms Legal}},
title = {IT Support Agreement (UK) (United Kingdom)},
year = {2026},
howpublished = {\url{https://forms-legal.com/uk/business/contracts/it-support-agreement-uk}},
note = {Free legal document template. Based on Companies Act 2006}
}
Frequently Asked Questions
A detailed UK IT Support Agreement should cover the following key areas. First, the scope of services — a precise description of the IT systems, infrastructure, and applications covered; the types of support provided (helpdesk, on-site, remote, system monitoring, patch management, backups, and cybersecurity); and any explicit exclusions. Second, service level agreements (SLAs) — the response and resolution times for different priority levels of incident (P1 critical, P2 major, P3 minor), the agreed uptime targets for any managed systems, and the consequences of SLA breach. Third, data protection — since IT support inevitably involves access to client systems and data, the agreement must include appropriate data processing provisions compliant with the UK GDPR and Data Protection Act 2018, including the supplier's obligations as a data processor. Fourth, security — the supplier's obligations in relation to cybersecurity, including compliance with Cyber Essentials or equivalent standards, incident notification obligations, and the procedure for responding to data breaches. Fifth, commercial terms — the fee structure, payment terms, and the process for authorising and charging for out-of-scope work. Sixth, liability limitations — appropriate caps and exclusions, subject to UCTA 1977 compliance. Finally, termination — the notice period, the return of client data, and transition assistance obligations.
UK GDPR has significant implications for IT support arrangements. Where an IT support provider accesses, processes, or stores personal data on behalf of a client, they are acting as a 'data processor' within the meaning of Article 4(8) UK GDPR. The client, as 'data controller', has an obligation under Article 28 UK GDPR to confirm that any data processing by a processor is governed by a binding written contract that includes specific mandatory provisions. These include: that the processor only processes data on the documented instructions of the controller; that the processor ensures persons authorised to process data are subject to confidentiality obligations; that the processor implements appropriate technical and organisational security measures; that the processor does not engage sub-processors without the controller's prior written authorisation; that the processor assists the controller in responding to data subject rights requests and data breach notifications; and that the processor deletes or returns all personal data at the end of the contract. In practice, IT Support Agreements should either include a detailed data processing addendum or incorporate one by reference. Failure to have appropriate data processing provisions in place can result in enforcement action by the ICO.
Service Level Agreements (SLAs) in UK IT support agreements typically categorise incidents by priority level, with different target response and resolution times for each category. A common priority framework used in managed service provider (MSP) contracts is as follows. Priority 1 (Critical) — total system failure, complete loss of a critical business service, or a confirmed security breach: initial response within 1 hour, target resolution within 4 hours. Priority 2 (High) — significant degradation of a critical service, or failure of an important system: initial response within 2 hours, target resolution within 8 business hours. Priority 3 (Medium) — partial failure of a non-critical system, a workaround is available: initial response within 4 business hours, target resolution within 24 business hours. Priority 4 (Low) — minor issues, general enquiries, or requests for information: initial response within 8 business hours, target resolution within 5 business days. SLA response times should be defined in terms of business hours (for example, 09:00–17:30 Monday to Friday, excluding English public holidays) unless 24/7 support is contracted. The agreement should also specify the mechanism for escalating breached SLAs and any service credit regime.
Liability limitation for data loss and security breaches is one of the most commercially important and legally contentious issues in UK IT Support Agreements. Under the Unfair Contract Terms Act 1977 (UCTA), an IT support provider cannot exclude or restrict liability for death or personal injury caused by negligence, and any limitation of liability for other loss must satisfy a reasonableness test. Where the client is a consumer, the Consumer Rights Act 2015 applies additional protections. In practice, most IT support providers include a cap on their total aggregate liability (often equal to the fees paid in the preceding 12 months) and exclude consequential loss, loss of profits, and business interruption. However, courts have sometimes found such caps to be unreasonable in the context of data loss or security breach claims, particularly where the loss was caused by the provider's own negligence. IT support providers should consider maintaining adequate professional indemnity and cyber liability insurance, and clients should confirm that the provider's liability cap is commensurate with the value and sensitivity of the data being handled.
The treatment of client data on termination of an IT Support Agreement is governed by both the contractual terms and the UK GDPR obligations applicable to data processors. Under Article 28(3)(g) UK GDPR, the data processing agreement must require the processor to delete or return all personal data to the controller at the end of the services, and to delete existing copies unless EU or UK law requires storage. In practice, the IT Support Agreement should specify: whether data will be returned or deleted; the format in which data will be returned; the timescale within which return or deletion will be completed; what will happen to backup copies; and whether the provider will provide a written certification that all data has been deleted. The agreement should also address the transition period — the IT support provider should assist the client in transferring IT systems and data to a replacement provider or back in-house, and should provide reasonable transition assistance (subject to payment of reasonable costs). A failure to address data return and deletion on termination can leave a client in a difficult position if their IT provider is uncooperative or goes into administration.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
SaaS Agreement (UK)
Formalise a software as a service subscription in England and Wales with a detailed UK SaaS Agreement. Whether you are a SaaS provider onboarding a business customer or an organisation subscribing to a cloud-based platform, a properly drafted SaaS agreement defines the scope of access, service level commitments, data protection obligations under the UK GDPR, subscription fees, and the rights and responsibilities of each party. Our template is drafted in accordance with the UK General Data Protection Regulation, the Data Protection Act 2018, the Consumer Rights Act 2015, and English common law.
Data Processing Agreement — UK GDPR (England & Wales)
Create a Data Processing Agreement (DPA) fully compliant with UK GDPR Article 28 and the Data Protection Act 2018 for England and Wales. This template covers all mandatory Article 28(3) processor obligations, ICO registration, sub-processor authorisation with prior notice, UK IDTA provisions for international transfers outside the UK, technical and organisational security measures under Article 32, personal data breach notification timelines, data subject rights assistance, DPIA support, audit rights with advance notice, and data deletion or return obligations. Includes controller ICO registration details, special category data provisions, and automatic termination with the principal services agreement. Governing law: England and Wales. Download as PDF or Word.
Maintenance Agreement (UK)
Create a professional Maintenance Agreement for use in England and Wales. This template covers scheduled maintenance, reactive repairs, service levels, call-out charges, and liability provisions in accordance with the Supply of Goods and Services Act 1982 and the Consumer Rights Act 2015. Suitable for property maintenance, equipment servicing, IT infrastructure, and general facilities management contracts.
Service Agreement (UK)
Create a detailed UK service agreement governed by the laws of England and Wales. Covers the Consumer Rights Act 2015, Supply of Goods and Services Act 1982, Late Payment of Commercial Debts (Interest) Act 1998, UK GDPR, IR35, VAT, intellectual property, and confidentiality. Suitable for consultants, freelancers, agencies, and businesses of all sizes.
Consultancy Agreement (UK)
Create a detailed UK Consultancy Agreement governed by the laws of England and Wales. This template covers scope of services, fees and payment in GBP, intellectual property ownership, confidentiality, data protection (UK GDPR / Data Protection Act 2018), IR35 off-payroll working status, right of substitution, non-solicitation, insurance requirements, limitation of liability, and indemnity. Suitable for limited companies, LLPs, sole traders, partnerships, and individuals. Fill out the wizard, preview in real time, and download as PDF or Word.