Every clause below is production text from real WebCare agreements. Copy verbatim, replace the bracketed placeholders in the schedules, then have a solicitor or attorney review for your jurisdiction.
1. Scope of services
Provider shall perform WordPress maintenance services on the site(s) listed in Schedule A, including: (a) WordPress core, plugin, and theme updates tested on a staging environment before deployment to production; (b) daily off-site encrypted backups with a monthly restore-verification test; (c) uptime monitoring with alerting under 5 minutes; (d) security scanning and malware removal; (e) monthly performance and security report; (f) small content edits and change requests, capped per Schedule B.
2. Response and resolution SLA
Provider commits to first-response times as defined in Schedule B (Care: 12h; Care Plus: 8h; Commerce: 4h; Enterprise: 1h). Emergency response for site-down and checkout-down incidents shall not exceed the times in Schedule B (Care: same-day triage; Care Plus: 4h; Commerce: 1h; Enterprise: 15 min). First response is defined as a human acknowledgement and initiation of remediation work, not an automated ticket confirmation. If the SLA is not met, Provider shall credit the affected month in full.
3. Backup and data recovery
Provider shall retain at least thirty (30) rolling daily backups stored in an off-site region separate from the primary hosting provider. Backups shall be encrypted at rest using AES-256. Provider shall perform a full restore-verification test at least once per calendar month for each site and shall provide restore evidence upon request. In the event of catastrophic data loss, Provider commits to a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 24 hours.
4. Security responsibilities
Provider shall (a) enforce two-factor authentication on all administrator accounts under its control; (b) apply WordPress core and plugin security patches within 24 hours of vendor release for CVSS ≥ 7.0; (c) maintain a web application firewall (WAF) at either edge (Cloudflare) or origin layer; (d) perform monthly malware scans; (e) notify Client within 4 hours of any confirmed security incident affecting Client's site. Client shall (a) provide Provider with least-privilege administrator access; (b) not install nulled plugins or themes; (c) not modify wp-config.php or the .htaccess file without Provider's written approval.
5. Change requests and out-of-scope work
Small content edits (defined as changes taking a Provider engineer under 30 minutes) are included in the plan up to the monthly cap in Schedule B. Design changes, custom development, new page templates, plugin builds, and site migrations are out of scope and shall be quoted separately at Provider's then-current hourly rate. No out-of-scope work will commence without Client's written approval of a fixed-price or capped-hours estimate.
6. Hosting and infrastructure
Provider is not responsible for downtime, data loss, or performance issues caused by Client's hosting provider. If Client's hosting is the diagnosed root cause of an incident, Provider shall (a) supply Client with a written diagnosis; (b) provide a recommended migration path; (c) not charge for the diagnostic time. Provider may offer managed hosting as an add-on under a separate Schedule.
7. Data protection and confidentiality
All Client data — including customer PII, order records, and site content — shall be processed as a data processor under Client's instructions. Provider shall comply with GDPR, UK GDPR, and CCPA where applicable, execute a Data Processing Agreement (DPA) on request, maintain a record of processing activities, and delete Client data within 30 days of contract termination unless legally required to retain it. Sub-processors are limited to those listed in Schedule C; Provider shall notify Client 30 days prior to adding a new sub-processor.
8. Limitation of liability
Provider's aggregate liability under this Agreement, whether in contract, tort (including negligence), or otherwise, shall not exceed the total fees paid by Client to Provider in the twelve (12) months preceding the event giving rise to the claim. Neither party shall be liable for indirect, consequential, or loss-of-profits damages. Nothing in this clause shall limit either party's liability for death or personal injury, fraud, or willful misconduct.
9. Term, renewal, and termination
This Agreement commences on the Effective Date and continues on a month-to-month basis. Either party may terminate for convenience on 30 days' written notice. Provider offers a 30-day money-back guarantee: if Client terminates within the first 30 days, all fees paid shall be refunded in full. On termination, Provider shall (a) export Client's site to a Client-nominated host; (b) supply the final backup archive; (c) transfer any Provider-held credentials; (d) delete all Client data from Provider systems within 30 days.
10. Governing law and dispute resolution
This Agreement shall be governed by the laws of the jurisdiction stated in Schedule A. Any dispute arising under this Agreement shall first be subject to good-faith negotiation between the parties for a period of 30 days. Failing resolution, the dispute shall be resolved by binding arbitration in the seat named in Schedule A under the rules of the arbitration body named therein. Each party shall bear its own costs of arbitration.