856-282-4100
1 Executive Drive Suite 100 Marlton, NJ 08053
+1 856-282-4100
Facebook-f X-twitter Instagram Linkedin-in Youtube
Let’s Talk
Let’s Talk

6 Questions That Expose Bad IT Contracts Before You Sign One

Most business owners don’t read their IT services agreement closely until something goes wrong — a breach, a disputed invoice, a vendor who won’t hand back passwords when you try to leave. By then the leverage is gone. The questions to ask before signing an IT services agreement are the ones that protect you before you’re negotiating from a hole.

This post is for the owner or executive who wants to avoid that hole entirely. Whether you’re signing your first IT contract, renewing one, or evaluating a new firm, these six questions will tell you more about a vendor than any sales presentation ever will.

They’re not trick questions. A capable, confident firm will answer all of them without hesitation. That willingness — or the absence of it — tells you everything you need to know.

1. What does your response time commitment actually cover?

Almost every IT services agreement promises a response time. Fifteen minutes. Two hours. “Same business day.” What most owners don’t realize is that response time and resolution time are completely different things — and contracts almost always define only the first one.

Response means someone acknowledged your ticket. It does not mean your problem is being worked. It does not mean a qualified person is on the case. It does not mean your server is back online.

Ask this directly: “When you say you respond in X minutes, what exactly happens? And how do you measure resolution time?”

A firm worth hiring will give you a specific answer — and will distinguish between issue types. A phone that won’t connect to email is not the same as a server that’s down for your entire staff. Resolution targets should reflect that difference. If the vendor conflates the two, or gets vague when you push, that’s your answer.

Also ask: Who responds? Is it a first-line helpdesk reading from a script, or someone with real authority over your environment? The difference matters enormously at 9pm on a Tuesday when production is down.

2. What exactly does “unlimited support” exclude?

6 Questions That Expose Bad IT Contracts Before You Sign One — professional IT services

“Unlimited support” is one of the most misleading phrases in the industry. It sounds like a blank check. It almost never is.

In most contracts, “unlimited” applies only to a specific category of work — usually helpdesk tickets for named users on approved devices. The following are commonly excluded, often buried in the fine print:

  • New device setup or employee onboarding beyond a set threshold
  • Project work — migrations, new software deployments, infrastructure upgrades
  • After-hours or emergency response
  • Work performed at a physical location
  • Vendor liaison work — coordinating with your internet provider, software vendor, or phone system
  • Security incident response

When something falls outside the “unlimited” scope, you get billed hourly. Some firms price that hourly rate strategically — low enough to look reasonable in a proposal, high enough to make you think twice about calling.

Ask the vendor to walk you through the last three scenarios where a client was billed outside their base agreement. If they say it never happens, they’re either not being straight with you or their contract is genuinely comprehensive — and you should get that in writing.

3. Who owns the credentials, documentation, and licenses when we part ways?

This is one of the most important questions to ask before signing any IT services agreement, and almost everyone wishes they had raised it at the start.

When an IT firm manages your environment, they accumulate real control: administrative credentials to your systems, documentation of your infrastructure, licenses tied to their vendor accounts, and access to your cloud platforms. In a well-run relationship, this is invisible. When you decide to leave — for any reason — it can become a serious problem.

Some firms retain ownership of documentation they built for your environment. Some register your software licenses under their own accounts, which means a transfer requires their full cooperation. Some hold administrative credentials that aren’t stored anywhere you can access independently.

Before signing, ask explicitly:

  • Do we own all administrative credentials to our systems at all times?
  • Is our infrastructure documentation stored somewhere we can access independently?
  • Are our software licenses registered in our name or yours?
  • What does the off-boarding process look like, and how long does it take?

A firm confident in its work will have clean answers. They don’t need dependency through credential lock-in — they keep clients because the service is excellent, not because leaving is painful.

4. What does your security coverage actually include?

Every IT firm today uses the word “cybersecurity.” Most mean something very different by it.

In its most basic form, “cybersecurity included” means antivirus software and maybe a firewall. In a serious implementation, it means layered protections: monitored endpoint protection, email filtering, multi-factor authentication enforcement, identity monitoring, backup integrity testing, and active log review — among other things. The Cybersecurity and Infrastructure Security Agency (CISA) maintains current guidance on the threat categories your vendor’s approach should be designed to address — worth familiarizing yourself with the basics before that conversation.

You don’t need to understand every technical layer. You do need to ask: “If one of my employees clicks a malicious link in an email tonight at 11pm, walk me through exactly what happens.”

A well-prepared firm will walk you through the detection chain, the containment process, and who gets notified. They will not say “our software catches it” and move on.

Also ask whether their security practices have been independently verified. Anyone can claim expertise. A firm holding the CompTIA Security+ Trustmark — one of fewer than 30 firms globally to hold it — has had those practices evaluated by a third party. Certifications aren’t a guarantee, but they are a signal that a vendor has submitted to outside scrutiny rather than simply asserting competence.

Ask for specifics. If the vendor gets defensive, changes the subject, or pivots to features you don’t understand — that’s your answer.

5. What are the off-boarding terms if we decide to leave?

If a vendor makes it easy to leave, it usually means they’re confident you won’t want to. If they make it hard, that tells you something too.

Off-boarding terms are rarely the first thing discussed in a sales process, which is exactly why they should be. Ask before you sign:

  • What is the contract term, and what happens at the end? Does it auto-renew? What notice period is required to cancel?
  • Is there an early termination clause? What does it cost to leave before the term ends?
  • What is the transition assistance policy? Will they cooperate fully with a new provider? Is that cooperation in writing?
  • How long does credential and documentation transfer take? Some firms commit to 30 days. Others have no defined timeline at all.

You’re probably not planning to leave before you’ve even signed. But how a firm answers these questions is a signal about their character. A firm that bristles here is a firm that knows its retention depends on friction, not performance.

6. How do you verify what you’re being told before you commit?

Every IT firm will tell you they’re great. The question is how you test that before you’re financially and operationally locked in.

Ask for references — and ask the right question. Don’t ask clients if the vendor is good. Ask: “Have you ever had a serious incident — a breach attempt, a major outage, a billing dispute? How did they handle it?” Behavior under pressure tells you far more than behavior during normal operations.

Look for third-party validation. Certifications like the CompTIA Security+ Trustmark exist precisely because vendor self-assessment is unreliable. Not every firm pursues them — roughly 30 globally hold it — but those that do have submitted to external scrutiny. Ask what certifications the firm holds, then verify them directly with the issuing organization.

Ask about breach history — theirs and their clients’. This is the hardest question to ask and the most important one. “Has any client under your management experienced a security breach in the last five years?” A firm with zero client breaches over two decades is genuinely rare. A firm that can’t answer the question — or answers it vaguely — is telling you something. The NIST Cybersecurity Framework provides a useful reference for the baseline practices any managed IT provider should be able to demonstrate independently of their own claims.

Evaluate the conversation itself. Does the vendor speak to you like a peer? Do they explain technical concepts plainly? Do they push back when you say something incorrect, or just agree? The best IT firms are the adult in the room — calm, confident, and honest even when the honest answer is inconvenient.

What a good answer looks like

A well-run IT firm should welcome all six of these questions. Clarity and transparency aren’t courtesies — they’re evidence that the firm has been doing this long enough to have worked through every scenario you’re imagining.

Red flags worth taking seriously:

  • Vague or evasive answers about what’s included versus excluded
  • Resistance to off-boarding or credential ownership questions
  • Security claims that can’t be tied to any independently verified credential
  • Response-time promises with no corresponding resolution commitment
  • References who can only describe normal operations, never a hard moment

Green flags worth noting:

  • Specific, unprompted answers about what falls outside scope
  • Clean documentation about credential and license ownership
  • Third-party certifications the vendor invites you to verify directly
  • A breach history — across their entire client base — that is measurable and provable
  • A tone that respects your intelligence and doesn’t ask you to take anything on faith

One more thing before you sign

The contract is the beginning of the relationship, not the finish line of the sales process. How a firm handles these six questions — before you’ve committed anything — is a preview of how they’ll handle the moments that actually matter: a breach attempt on a Friday night, a compliance question from a client, a transition when your business outgrows what they can support.

Most owners learn these questions after something goes wrong. You don’t have to.

At Xact IT Solutions, we’ve spent more than 20 years building environments where these questions have clean answers. Zero client breaches in that time — not because we’ve been lucky, but because of how we build. If you want to evaluate whether we’re the right fit, the right starting point is a Business Technology Growth & Risk Assessment — a structured conversation about where your environment stands today and what it would take to get where you need to be.

Reserve Your Business Technology Growth & Risk Assessment and come in with these six questions ready. We’ll answer all of them.