Questions to Ask Before Signing a Managed IT Services Agreement

Response time SLAs are the most cited and least understood term in managed IT contracts. Every provider has them. Few customers understand what they measure. The key distinction is between response time (when someone acknowledges the ticket) and resolution time (when the problem is fixed). A provider can technically meet a 15-minute response SLA by sending an automated acknowledgment — while your server sits down for four hours waiting for an engineer.

What to ask: What are the response and resolution time commitments by priority tier? How are priority levels defined — by the provider or by the customer? What happens after hours and on weekends — does the SLA still apply? Are there financial penalties or service credits if SLAs are missed? An SLA with no consequence for missing it is aspirational language, not a commitment.

"Unlimited support" is marketing language. Every contract that uses it contains limitations — the question is where they are hidden. Common restrictions include: support hours limited to business hours with after-hours coverage at additional cost; on-site visits capped or billed separately; support for covered devices only, excluding personal devices, non-standard software, or shadow IT; project work such as migrations, new deployments, or major upgrades explicitly excluded from per-seat pricing; and escalations to senior engineers or specialists billed at a premium rate.

What to ask: What is explicitly NOT included in the monthly fee? Define "project work" — at what point does a support request become a project and trigger additional billing? Is after-hours support included, and if so, does it carry the same SLAs? Get the exclusion list in writing, not just the inclusion list.

Most support tickets resolve at the first-line tier. The ones that matter most — active outages, security incidents, data loss — often do not. Understanding the escalation path tells you how the provider is structured to handle the situations that actually hurt your business. A provider with no defined escalation process above the helpdesk is not equipped to handle critical incidents, regardless of what their SLA document says.

What to ask: Who handles escalations — in-house senior engineers or third-party vendors? What is the escalation trigger — time in queue, severity level, or customer request? Is there a named technical account manager or escalation contact for your account, or do escalations go into a queue? How are major incidents communicated, and who is your point of contact when something is genuinely wrong?

Data ownership provisions in managed IT contracts determine what happens to your configurations, documentation, credentials, and backups when the relationship ends. Some providers treat everything they build or document about your environment as proprietary — meaning you can have your data, but not the runbooks, configuration files, network diagrams, and institutional knowledge the MSP holds. Others use tooling and licensing structures that make migration genuinely painful, whether intentionally or not.

What to ask: Who owns the configurations, scripts, and documentation created for your environment? If the contract ends, are credentials, admin access, and configurations transferred on day one of notice — or on the last day? Is your data stored in the provider's proprietary platform, or in portable formats you can export independently? Are there any licensing agreements (RMM tools, backup platforms) that would need to be transferred, and what is the process?

Exit clauses are where managed IT contracts most commonly surprise customers. Auto-renewal provisions — where a contract renews for a full term unless canceled within a specific notice window — are standard and frequently catch businesses off-guard. Notice periods of 60 to 90 days are common, meaning you could be bound for another year even if you decide to switch. More concerning are contracts that allow the provider to terminate for convenience with minimal notice while requiring extended notice and penalties from the customer.

What to ask: What is the contract term and does it auto-renew? What is the notice window to cancel renewal — and who receives the notice? What are the termination-for-cause provisions — can you exit early if SLAs are repeatedly missed? Are there early termination fees, and how are they calculated? What happens to services, access, and support during the notice period — does quality typically decline once notice is given?

Managed IT agreements that include device management often contain provisions about hardware replacement cycles — and they are not always clear about who pays for what. The MSP may recommend hardware replacement at a specific interval, and the contract may make that recommendation effectively mandatory (flagging unsupported hardware as out of scope for support coverage). Understanding the hardware lifecycle expectations upfront prevents surprise conversations about a $50,000 refresh cycle two years into a contract.

What to ask: Does the agreement require hardware refresh cycles? If hardware ages out of vendor support, does the MSP continue to support it or does coverage lapse? Who purchases replacement hardware — directly from the provider, or through independent procurement? Is there a markup on hardware the provider sources, and if so, how does it compare to market pricing? Can you use hardware purchased independently, or does it need to go through the provider?

Security responsibility in managed IT contracts is one of the murkiest areas in the industry. Some providers include managed detection and response (MDR), endpoint protection, and firewall management in their base tier. Others include "monitoring" but not incident response. Others treat security as an entirely separate scope requiring a separate agreement. The provider's responsibility boundary — where their obligation ends and yours begins — needs to be explicit, because in a security incident, ambiguity becomes liability.

What to ask: What security tools and controls are included in scope? Is endpoint detection and response (EDR) managed by the provider, or just deployed? If there is a security incident, what is the provider's obligation — notification only, or active containment and remediation? Are security patches and updates included, and on what cadence? What security controls does the provider apply to their own access to your environment — MFA, privileged access management, audit logging?

If your business operates under HIPAA, PCI DSS, SOC 2, CMMC, or state privacy laws, your managed IT provider's practices directly affect your compliance posture. Some providers are compliance-ready and document their controls accordingly. Others use language like "we help you maintain compliance" without taking on any formal compliance responsibility. The distinction matters when an auditor asks who is responsible for a specific control requirement and the answer is a contract clause neither party fully read.

What to ask: Which compliance frameworks does the provider have documented experience with? Are their practices covered under a Business Associate Agreement (BAA) if your business handles PHI under HIPAA? Can they provide a SOC 2 Type II report or equivalent documentation of their own security controls? What compliance-related reporting or evidence does the provider produce, and in what format? What is explicitly outside their compliance scope?

Reporting is the primary mechanism by which you hold a managed IT provider accountable to the terms of the agreement. Without regular, structured reporting, you are dependent on the provider's self-assessment of how they are performing. Good reporting includes ticket volume and resolution metrics against SLAs, security event summaries, patch compliance status, backup health verification, and capacity or risk observations. Providers who resist committing to specific reporting cadence and format often do so because their performance metrics would not hold up to scrutiny.

What to ask: What reports are included in the agreement, and how frequently are they produced? Are reports automatically generated from the provider's tooling, or manually assembled — and does that affect reliability? Do the reports include SLA performance metrics with variance to target? Who presents the reports — the account manager, the technical team, or an automated email? Is there a scheduled quarterly or annual business review, and is it included in the base agreement?

Managed IT providers commonly subcontract specific functions: after-hours support, specialized technical roles, on-site field services, security operations, or specific vendor support. This is not inherently problematic, but it affects accountability, security, and service quality in ways you need to understand before signing. If the provider's security operations center (SOC) is a third-party vendor and you have a breach at 2am, the chain of accountability and access becomes relevant fast.

What to ask: Which services are provided directly by your staff, and which are subcontracted? Who are the subcontractors, and are they disclosed? Do subcontractors have access to our systems — and under what access controls? Are subcontractors covered under the same data protection and security obligations as the primary provider? If the subcontractor relationship ends, how does that affect our service coverage?

The monthly per-seat or flat-rate pricing in a managed IT proposal is the starting price, not necessarily the price you pay in year two or three. Most contracts include provisions for annual price adjustments — typically tied to CPI, a fixed percentage, or the provider's discretion. They may also include per-seat pricing that scales as headcount grows, and separate pricing for new service categories added mid-term. Understanding the full potential cost trajectory matters when you are evaluating multi-year commitments.

What to ask: Is pricing fixed for the contract term, or subject to annual increases? If increases are built in, what is the cap or mechanism — percentage, CPI index, or provider discretion? How is per-seat pricing handled if headcount grows significantly mid-contract? Are there any services currently included that might be reclassified as add-ons at renewal? Can the provider point to examples of renewal pricing for comparable current clients?

References are the most underused due diligence tool in managed IT procurement. Providers will give you references they have prepared — businesses that will speak positively. The value is not in the testimonial but in the conversation: asking directly whether the SLAs in the contract match reality, how the provider handled a significant incident, whether the contract terms looked the same at renewal, and whether the reference would sign with the same provider again knowing what they know now.

What to ask the provider: Can you provide two or three references from businesses of similar size, in a similar industry, who have been with you for more than two years? Can you provide contact information for a customer who transitioned away from your service — not as a negative reference, but to understand the offboarding process? What to ask the references: Has the provider met the SLAs in the contract? How did they handle the most significant incident you experienced? Did renewal pricing match what you expected from the original contract? Would you sign with them again?