The three hosting models
“Hosting” covers three commercially distinct arrangements, and a contract drafted for the wrong one fails silently — a colocation agreement says nothing useful about patching, and a managed-hosting agreement says nothing useful about hardware retrieval. Identify the model first; the clause set follows from it.
| Model | Who owns the hardware | Who patches | SLA scope | Exit complexity |
|---|---|---|---|---|
| Colocation | You — your servers in the provider's racks | You patch everything; the provider only powers, cools and physically secures the facility | Power, cooling, physical security and network uplink — never your OS or application | High (physically): hardware retrieval logistics, decommissioning windows, rack handover |
| Dedicated / managed hosting | The provider — their servers, your workloads | Split: provider patches hardware/hypervisor and (if managed) the OS; you patch your application — the contract must say exactly where the line sits | Hardware replacement, network, and the OS layer where management is included | Medium: data migration in usable formats; the hardware stays behind |
| Cloud resale / MSP-managed hyperscaler | The hyperscaler (AWS, Azure, Google) | Hyperscaler patches the infrastructure; the MSP manages configuration; you own the workload | The hyperscaler's SLA flows down unchanged; the MSP layers a management SLA on top | Depends entirely on who holds the account: your account = low; the MSP's account = real lock-in |
Hosting agreements sit one layer below the cloud-services questions of data sovereignty and jurisdiction — for the regulatory treatment of where data may live, which law applies, and what foreign-access regimes mean for SA businesses, see the cloud computing & data sovereignty guide. This page deals with the contract itself.
The eight clauses that matter
Service description + provisioning
Exactly what is being provided: rack units, power allocation and cross-connects for colocation; server specifications and provisioning timelines for dedicated hosting; the managed-services scope for resale. Vague service descriptions are the single biggest source of hosting disputes — everything not listed becomes a billable extra.
Availability SLA + measurement boundary
Not just the percentage but what it measures: facility power, the network edge, the server itself, or your application. A 99.9% facility SLA tells you nothing about whether your workload is reachable. Define the measurement point, the measurement tool, and the credit regime — see the dedicated SLA guide for the full anatomy.
Data location + POPIA section 72
Where the servers, replicas and backups physically sit. If personal information leaves South Africa — including to an offshore backup target or DR site — section 72 POPIA requires a lawful transfer ground. The contract should name the hosting regions and prohibit relocation without notice and consent.
Backups + disaster recovery
Concrete RPO and RTO numbers, the backup schedule and retention, and — critically — restore testing: how often restores are actually tested, who verifies the test, and what happens when a test fails. An untested backup commitment is a hope, not an obligation.
The security split
Physical security (access control, CCTV, biometrics) sits with the provider; logical security is negotiated. Section 19 POPIA requires appropriate, generally accepted security safeguards — and where the provider can access personal information, section 21 operator terms must be in place.
Suspension rights
The dangerous clause. An unqualified right to suspend for non-payment lets a billing dispute take your production environment down. Negotiate written notice, a cure period, and an express carve-out: no suspension for invoices disputed in good faith while the dispute procedure runs.
Maintenance windows
Scheduled versus emergency maintenance, minimum notice for each, permitted frequency and duration, and whether window downtime is excluded from the availability calculation. Generous exclusions can quietly hollow out an otherwise strong SLA.
Exit + data return
Data return in defined, usable formats; reasonably-priced migration assistance; hardware retrieval rights and timelines for colocation; and a written deletion attestation once return is confirmed. Exit terms negotiated at signature cost nothing — negotiated at exit, they cost whatever the provider asks.
Two of these deserve their own deep-dives: availability commitments are dissected clause-by-clause in the SLA guide, and continuity protection against provider failure — the insolvency cousin of the exit clause — is covered in the source code escrow guide.
Reselling hyperscaler capacity
A large share of SA “hosting” is now an MSP managing AWS, Azure or Google Cloud capacity. The legal structure is fundamentally different from owning racks: the hyperscaler’s terms of service flow down to you whether or not your contract mentions them, because the MSP cannot grant rights it does not have. A resale agreement that promises 99.99% availability on infrastructure the hyperscaler only warrants to 99.9% — or that promises data residency the underlying region settings do not enforce — is writing cheques the upstream terms will not honour. The flow-down clause should be express: which upstream terms apply, who bears upstream price increases, and what happens if the hyperscaler suspends or terminates the account.
The single most important commercial question: who holds the account? Whoever holds the hyperscaler account holds the power. If the account is yours and the MSP merely has delegated administrative access, you can replace the MSP with notice and lose nothing — the workloads, the data, the configuration and the billing relationship all stay with you. If the account is the MSP’s, every workload, snapshot and DNS zone is legally under its control, and “migration assistance” on exit means extracting your environment from someone else’s tenancy at their pace and price.
Where an MSP-held account is unavoidable — bundled enterprise discounts often require it — the contract must compensate: a named right to demand account transfer or full environment export on exit, infrastructure-as-code and configuration handover, escrowed root credentials or break-glass access, and an express prohibition on the MSP suspending your workloads for disputes between the MSP and the hyperscaler.
When the provider can look at your data
If the hosting provider stores or can access personal information you are responsible for, POPIA treats it as an operator — and section 21 makes a written operator agreement mandatory, covering authorised processing only, section 19 security safeguards, confidentiality, and breach notification to you. This applies obviously to managed hosting (the provider administers the OS your data sits on), but a colocation provider with physical access to your machines, or an MSP with administrative access to your cloud tenancy, is in substance no different. The safe drafting position is to assume operator status and include the section 21 terms — they cost a schedule, not a negotiation.
The technical control that changes the legal analysis is encryption-at-rest key custody — and it belongs in the contract, not just the architecture document. If you hold the keys and the provider stores only ciphertext, the provider’s practical ability to access personal information collapses, which narrows the operator-risk surface, simplifies breach analysis, and strengthens your position on foreign-government access to offshore replicas. The clause should state who generates, holds and rotates keys, whether the provider ever receives key material (including for support), and that provider-side decryption requires your prior written instruction. Where the provider insists on holding keys for managed services, require logged, purpose-limited access and the right to audit the access log.
Frequently asked
What is the difference between colocation and managed hosting?
In colocation you own the hardware and rent space, power, cooling and physical security in the provider's data centre — the provider never touches your software. In dedicated or managed hosting the provider owns the hardware and runs your workloads on it, usually with a defined split of responsibility for patching and administration. The legal consequence: colocation agreements are mostly about the facility (power SLAs, access rights, hardware retrieval), while managed hosting agreements are mostly about the service (provisioning, patching split, backups, the OS layer).
What SLA should a hosting contract have?
It depends on the measurement boundary. A colocation SLA should cover power availability (often 100% with credits), cooling within defined ranges, and network uplink — typically 99.9% or better. A managed-hosting SLA should cover server availability and hardware-replacement response times. In all cases, insist on a defined measurement point and method, service credits that escalate with the depth of the failure, and a termination right for chronic breach. The percentage alone is meaningless without knowing what it measures and what remedy attaches.
Can a hosting provider suspend us for non-payment?
Under most standard terms, yes — often on short or no notice, which can take your production systems offline over a billing query. Negotiate three protections: written notice of intended suspension, a cure period (7–14 days is common), and an express carve-out preventing suspension for invoices disputed in good faith while the contract's dispute procedure runs. Without the carve-out, the provider can use suspension as leverage in any pricing disagreement.
Where may our data be hosted under POPIA?
Anywhere — provided that if personal information leaves South Africa, one of the section 72 POPIA transfer grounds applies: adequate protection under foreign law or binding agreement, data-subject consent, contractual necessity, or the data subject's benefit. The practical contract points: require the provider to name its hosting and backup regions, prohibit relocation without notice, and where offshore transfer is unavoidable, impose binding contractual terms that satisfy section 72(1)(a). SA-residency options (local regions of AWS, Azure and Google, plus local data centres) make in-country hosting achievable for most workloads.
Who is responsible for backups?
Whoever the contract says — and never assume it is the provider. Many colocation and even managed-hosting agreements place backup responsibility entirely on the customer, or offer it only as a billable add-on. The agreement should state who backs up what, on what schedule, with what retention, to what location (POPIA section 72 applies to offshore backup targets), and how often restores are tested. If the contract is silent, courts will not imply a backup obligation into a facility-services agreement.
What happens to our data on exit or if the provider becomes insolvent?
Exit terms should guarantee data return in defined usable formats, a migration-assistance commitment at agreed rates, hardware retrieval rights for colocation, and a deletion attestation. Insolvency is harder: your data may sit on hardware controlled by a liquidator, and contractual return rights become claims in the insolvent estate. Mitigations include maintaining your own off-site backups, owning the hyperscaler account in resale arrangements, and — for critical dependencies — escrow-style continuity arrangements similar to those used for source code.
Do POPIA operator rules apply to a hosting provider?
Usually yes. A provider that stores or can access personal information on your behalf is an operator under POPIA, which makes a written operator agreement under section 21 mandatory: the provider must process only with your authorisation, maintain section 19 security safeguards, and notify you of any breach. Even a colocation provider with physical access to your hardware arguably falls within the definition where it can access the data. The lower-risk route is to assume operator status applies and contract accordingly.
What does a hosting agreement cost to draft or review in SA?
From R12,000 for a bespoke single-model agreement (colocation, dedicated or managed hosting) or a detailed review and negotiation of a provider's standard terms. A resale framework that flows down hyperscaler terms with a management SLA layered on top typically runs R15,000–R20,000. Add R5,000–R8,000 for a separately-drafted POPIA operator agreement / DPA where the provider can access personal information.