IT Support & MSPs

What should be included in a managed IT services agreement?

Complete guide to managed IT service agreements. Learn what should be included, red flags to avoid, and questions to ask before signing.

centrexIT Team 9 min read

Before signing any managed IT services agreement, you need to understand exactly what you’re getting. This guide covers what should be included, what’s typically extra, and the red flags to watch for.

Core Services That Should Be Included

These are non-negotiable elements of any quality managed IT agreement:

1. 24/7 Monitoring and Alerting

What it means: Software agents on your devices that watch for problems around the clock.

What to look for:

  • Server and workstation monitoring
  • Network device monitoring (firewalls, switches)
  • Alerting thresholds and response procedures
  • Who gets notified and how quickly they respond

Red flag: “Business hours monitoring only” - problems don’t wait for 9-5.

2. Help Desk Support

What it means: A way for your employees to get technical help.

What to look for:

  • Hours of availability
  • Contact methods (phone, email, chat, portal)
  • Response time SLAs by priority level
  • Escalation procedures

Example SLA structure:

PriorityDescriptionResponse TimeResolution Target
CriticalBusiness down15-30 min2-4 hours
HighMajor impact1-2 hours4-8 hours
MediumModerate impact4 hours24 hours
LowMinor impact8 hours48 hours

Red flag: No defined SLAs or vague “best effort” language.

3. Patch Management

What it means: Regular updates to operating systems and software to fix bugs and security vulnerabilities.

What to look for:

  • Update schedule (weekly/monthly)
  • Testing procedures before deployment
  • Critical security patch process
  • Reporting on patch status

Red flag: “We’ll update things as needed” without a defined process.

4. Antivirus/Endpoint Protection

What it means: Security software on all devices to prevent malware.

What to look for:

  • Which product is used (enterprise-grade, not free consumer)
  • Who manages it
  • How threats are handled
  • Reporting on detections

Red flag: You’re responsible for managing it yourself.

5. Backup Monitoring

What it means: Watching your backups to ensure they’re actually working.

What to look for:

  • Daily backup verification
  • Test restores (how often?)
  • Alerting on failures
  • Who fixes backup issues

Important distinction: Many providers only monitor backups. The backup solution itself may be a separate line item.

6. Basic Security

What it means: Fundamental security practices applied to your environment.

What to look for:

  • Firewall management
  • User account management
  • Password policy enforcement
  • Basic security best practices

Red flag: Security is treated as an optional add-on.

Services That Should Be Clearly Defined

These may or may not be included - make sure you understand what you’re getting:

Vendor Management

Question: Will they handle calls to Microsoft, your ISP, your line-of-business software vendor?

Good: Included for core vendors, maybe hourly for others Watch out: Not included at all, or excessive charges

On-Site Support

Question: What happens when someone needs to physically be at your office?

Common models:

  • Included up to X hours per month
  • Included with travel charge
  • Billed hourly
  • Emergency-only

New Employee Setup / Terminations

Question: Who handles onboarding and offboarding IT for employees?

Look for:

  • What’s included (email, workstation, training)
  • Turnaround time
  • Process for terminations (security!)

Hardware Procurement

Question: Will they help you buy equipment?

Common models:

  • They procure at markup (10-20% is reasonable)
  • You buy, they configure (configuration may be extra)
  • They provide leased equipment

Reporting and Reviews

Question: How will you know what’s happening?

Look for:

  • Monthly or quarterly reports
  • Regular business reviews (quarterly minimum)
  • Executive summary you can understand
  • Recommendations for improvement

What’s Almost Always Extra

These services typically require additional investment:

Major Projects

  • Server migrations
  • Office moves/buildouts
  • Cloud migrations
  • Major software implementations

Advanced Security

  • Security Operations Center (SOC)
  • SIEM/log management
  • Penetration testing
  • Security awareness training

Compliance-Specific Services

  • HIPAA risk assessments
  • SOC 2 preparation
  • Audit support
  • Policy development

Strategic Services

  • vCIO/IT strategy (sometimes included, often extra)
  • Technology roadmapping
  • M&A IT due diligence

Contract Terms to Understand

Length and Renewal

Typical: 1-3 year terms with auto-renewal Best practice: 1-year initial with annual renewals

Watch out for:

  • Multi-year contracts with no exit clause
  • Automatic multi-year renewals
  • Early termination penalties

Price Increases

Question: How and when can they raise prices?

Reasonable: Annual adjustment tied to CPI or a cap (3-5%) Watch out: “At our discretion” with no limits

Termination Clause

Critical questions:

  • How much notice is required to cancel? (30-90 days typical)
  • What happens to your data and documentation?
  • Are there termination fees?
  • Will they help transition to a new provider?

Red flag: Termination fee equals remaining contract value.

Data Ownership

Must be clear: You own your data. Period.

Look for:

  • Your data is yours, always
  • Documentation belongs to you
  • You get all passwords and admin access
  • Cooperation with new provider during transition

Limitation of Liability

Standard: Most contracts limit liability to the fees paid (12 months typical)

Understand: This is normal, but make sure you have appropriate cyber insurance.

Questions to Ask Before Signing

  1. “Walk me through exactly what’s included and what costs extra.”

  2. “Who will be our primary contact?”

  3. “What happens if we’re not happy?”

  4. “Can I see a sample monthly report?”

  5. “What’s your average response time for clients our size?”

  6. “How do you handle after-hours emergencies?”

  7. “What happens when we need to cancel?”

  8. “Can I talk to 2-3 current clients similar to us?”

Red Flags Summary

Don’t sign if you see:

  • No clear SLAs or “best effort” promises
  • Multi-year lock-in with heavy termination fees
  • Vague scope that will lead to surprise charges
  • They control your admin passwords with no documentation
  • No transition assistance if you leave
  • Unlimited price increase rights
  • Security treated as optional
  • No references or unwilling to provide them

Our Agreement Philosophy

At centrexIT, our agreements are designed to be clear and fair:

  • No jargon - Plain English contracts
  • Annual terms - No multi-year lock-ins
  • Clear scope - You know exactly what’s included
  • Easy exit - 60-day notice, full cooperation
  • Your data - Always yours, always accessible
  • Predictable - No surprise charges

We’re confident enough in our service that we don’t need to trap you in a contract.

Want to see what a fair managed IT agreement looks like? Contact us for a sample or to discuss your needs.

Have More Questions?

Our team is here to help. Whether you're evaluating IT services or have a specific question about your technology, we're happy to have a conversation.

Contact Us Browse More Questions

Related Questions

How much does managed IT support cost in San Diego?

Managed IT Costs

How do I know if my current IT company is doing a good job?

IT Company Performance