Web Hosting (cPanel) SLA


The Office of Information Technology (OIT) provides a web hosting service to any campus unit needing such capability. For the agreed-upon fiscal year, OIT will be the service provider of the web services for. As a reseller of web services, OIT’s goal is to provide a richer application service environment to the customer. The Customer is responsible for all aspects of the design, content, and support of the website(s) hosted by this service.

Responsibilities of Service Agreement

It is important to note that for this service, OIT is the service provider and any content delivered via this service is owned by the Customer.

The Customer is responsible for the following:

  • cPanel account maintenance:
    • Maintain and secure cPanel administrator account
    • Maintain and secure any sub-accounts and service accounts (eg, ftp)
    • All software installed by the customer must be maintained at the latest available version and in a secure configuration.
  • Creating and/or maintaining any contents, scripts or applications to be delivered by the web service.
  • Requesting the approval of any domain names: https://getontheweb.ncsu.edu/university-urls-and-domains/.  
  • Providing OIT with the names of all subdomains or add-on domains to be used on the account.
  • Providing OIT the names, phone numbers, and email addresses of at least two critical contact personnel.
  • Making sure content stored or presented within the website, or requested by the website is in compliance with:
  • Ensuring content meets the NC State Information and Communication Technology Accessibility Regulation (https://go.ncsu.edu/ict-accessiblity-reg). This includes Web pages, Web applications, and electronic documents.
  • Ensuring that everyone who manages content in this environment, regardless of the URL’s or tools used to host that content, reads this SLA and agrees to all specified terms and conditions.
  • Timely payment of the service fees (see page 5). Payment is due 30 days from receipt of the SLA. Penalty for non-payment is suspension of the web hosting account; all websites and services hosted by the account will no longer be available to the internet.

Additionally, customers of the web hosting service must be aware of the following rules regarding PCI Compliance:

  • This service is NOT PCI-compliant. You are not permitted to accept, receive, or transmit any sort of credit card information through this service, nor may your site link or transmit information to a payment processor.
  • The customer must ensure that the environment does not contain any system components that are in either PCI DSS primary or secondary scope.
    • Primary scope includes any system components that processes, transmits and/or stores Payment Card Numbers (including the Credit Card Security Code) whole or in part.
    • Secondary PCI scope is any system component that either provides services to primary components or attaches to the primary scope directly.

If you need to accept credit card information for any purpose, you are required to contact NC State Merchant Services (merchantservices@ncsu.edu) to arrange for use of the university’s e-storefront service or other Merchant Services-approved options.

If the web service’s URL is not registered in the ‘.ncsu.edu’ domain, the customer is also responsible for:

  • Registration and payment of domain registration fees and charges.
  • Securing approval for NC State University to handle the domain.
  • Executing the appropriate tasks to migrate the domain to NC State University.
  • Continuing renewal payments for domain registration.

OIT will be responsible for:

  • Maintenance and updates of the cPanel application and supporting software.
  • Creating backups of the environment for disaster recovery
  • Generating renewal SLA’s on an annual basis
  • Tier 1 administrative support of the cPanel environment
  • Installing and maintaining SSL certificates for all hosted domains.
  • Managing all DNS configuration for all hosted domains.

OIT will not be responsible for:

  • Maintaining or creating any content to be delivered by the service.
  • Maintenance and updates of any software installed by the customer.
  • Any copyright infringements caused by the unauthorized use of copyrighted material.
  • Any authorizations, approvals, or payments for non- ‘ncsu.edu’ domains.
  • Migration of any and all content as a function of executing an exit strategy.
  • Generating or providing website usage/access statistics.
  • The securing of protected data, including moderate security (also known as ‘yellow’) data, per the University’s Data Management Regulation: https://policies.ncsu.edu/regulation/reg-08-00-03/.

Please note that OIT does offer separate maintenance agreements if you need assistance with creating, updating and/or maintaining your site. More information: https://design.oit.ncsu.edu/services/.

Incident Response

If the web service, or any associated applications hosted on this service, are in violation of any of the aforementioned confidentiality or PCI-related terms/conditions, or if a site is reported as hacked or defaced, OIT will take the following actions:

  • The site will be immediately disabled from access by/to the Internet.
  • Customer’s cPanel account will be immediately disabled.
  • In consultation with OIT Security and Compliance, OIT Web Services Staff will begin attempting restoration and remediation of the affected account(s). This will likely take more than one business day to complete. Restoration of the cPanel account may will be done on a different server to allow for further forensics beyond restoration.
  • In the case of security issues the site and account will only be reactivated upon approval by OIT’s Security & Compliance Unit that confidential and/or PCI-related information has been removed and associated applications hosted on this service have been disabled or remediated. 

For reporting and help with security incidents please contact OIT’s Security & Compliance and follow the Cybersecurity Incident Response Procedure.

OIT reserves the right to charge the owning unit for staff hours required to repair and/or remediate accounts that have been hacked, or are in violation of terms.

Service Restrictions

  • Customer may not implement a mail hosting service.
  • Accounts come with 10GB and additional quota may be requested in 10GB increments. No single cPanel account shall be granted more than 50GB total.
  • No more than 5 web applications/sites should be installed in a single cPanel account. Accounts are limited to 20 subdomains and add-on domains total. Domains above 5 will be charged at a rate of $10/domain/year.
  • Any automated site crawls should be limited to 1 request/10 seconds and a max number of 5 concurrent crawls.
  • OIT reserves the right to disable any services, sites or applications that are – in the opinion of the Manager of Identity & Web Services (or their designate) – misbehaving, run-away, or consuming excessive CPU resources.
  • Any hosted blogs or forums should not be made publicly available for user registration to non-NCSU persons without approval from OIT Web Services. These tools are common attack vectors for site compromise and need to be vetted.
  • All services hosted in cPanel should implement strong authentication, preferably using NCSU’s Shibboleth Service as it includes strong passwords and multi-factor authentication. More information: https://oit.ncsu.edu/campus-it/identity-management/shibboleth/
  • Course related materials should not be hosted in this service. We recommend reviewing your options at https://getontheweb.ncsu.edu/get-started/.

Additional restrictions, as well as guidelines and best practices, may be included on the Web Services website, https://oit.ncsu.edu/campus-it/web-services/.

Capacity / Performance Targets and Commitments

Requirements for scalability

The following assumptions may be necessary for the medium and long-term increase in workload and service utilization.

Transferring cPanel Accounts Between Servers to Balance Resource Utilization

In order to provide the best service possible for all accounts, OIT Web Services will monitor the resource utilization of all cPanel accounts and servers. Monitored resources include, but are not limited to disk space, bandwidth, CPU and RAM.

Based on these metrics, OIT Web Services may transfer cPanel accounts between cPanel servers to establish a more balanced usage of all cPanel servers’ resources.

An account transfer will only be performed after the account owner has been informed and a specific time for the transfer has been agreed upon by OIT Web Services and the account owner.

Transferring an account requires a short period of time for the account data to be migrated to the new server and for the DNS records to be updated to the new server’s hostname. The actual IP address of the hosted server will be different. The change of the IP address may be significant to customers who are using IP address-based firewall rules to allow access to external resources by a specific cPanel server.

Customers are responsible for communicating their need for IP address information if their account has been identified as one that will be transferred.

Additional Notes

This agreement will be in force for the fiscal year ending June 30, 2021.

The Customer is responsible for providing billing information, and at least two unique contacts: one administrative (account owner), and one for technical-related inquiries.

Communications, questions, and requests from the Customer to OIT Web Services staff should be submitted through the IT Service Portal.


Owning unit will be billed at a rate of $27/month, prorated from the time the service is initiated, through the end of the fiscal year, June 30, 2021. Additional quota is available at a cost of $32/year/10GB. Additional non-wildcard domains beyond the 5 allotted may be requested for the account at a rate of $10/domain/year, up to a total of 20 domains.

Failure to complete the SLA with the appropriate billing and contact information in a timely manner could result in your cPanel account being deactivated. Please return your SLA within 30 days of receipt.

OIT reserves the right to charge the owning unit for staff hours required to repair and/or remediate accounts that have been hacked, or are in violation of terms