A cheap website can get expensive fast when you can’t leave.

The problem usually isn’t the design. It’s the trap door under the contract. Your domain is in someone else’s account. Your content only exports as a messy ZIP file. Your forms feed a CRM you don’t control. Your redirects disappear when you cancel. The monthly fee looked simple, then the exit bill showed up.

Vendor lock-in isn’t always shady. Sometimes it’s just a normal side effect of hosted platforms, proprietary page builders, agency-owned hosting, custom plugins, and subscription bundles. But if your website brings in leads, orders, calls, quote requests, appointments, or search traffic, you need to know exactly what you own before you sign.

This checklist is built for small business owners, marketing managers, and web professionals who need a plain-English way to compare website vendors. Use it before you hire an agency, move to a new CMS, sign a website-as-a-service contract, or rebuild on a hosted platform.

Why website vendor lock-in matters in 2026

Websites are more connected than they used to be. A modern business site can depend on hosting, DNS, forms, payment tools, analytics, email delivery, CRM integrations, scheduling, reviews, ads tracking, consent management, and AI search visibility.

That makes ownership messy.

The web is also more platform-dependent. W3Techs reports that WordPress powers about 42% of all websites and roughly 59% of websites with a known CMS as of June 2026. Hosted platforms, custom stacks, and SaaS tools make up much of the rest. Each option has tradeoffs. Open-source systems can still be locked down by a bad host or agency contract. Hosted builders can be easy to run but hard to move away from.

Cloud and SaaS spending keeps rising too. Gartner forecast worldwide public cloud end-user spending to reach $723.4 billion in 2025, and Flexera’s 2025 State of the Cloud Report says organizations expect cloud spend to increase 28% while exceeding budgets by 17%. That same cost pressure reaches smaller websites through hosting, apps, plugins, AI tools, and bundled marketing subscriptions.

Regulators are paying attention because portability has become a real business issue. The EU Data Act introduced cloud-switching obligations that apply from September 12, 2025, and legal analysis from Greenberg Traurig describes the law as a framework to reduce cloud vendor lock-in and improve data portability. Even if you’re not in the EU, the direction is clear: businesses need practical exit rights.

For websites, the stakes are simple. If you can’t move your site without losing rankings, content, forms, files, or customer data, you don’t fully control the asset.

The 41-question website vendor lock-in checklist

Ask these questions before you sign. If you’re already locked into a vendor, use the same list to plan your exit.

1. Domain ownership

  1. Will the domain be registered in our legal business name? ICANN’s transfer policy says the Registered Name Holder is the party with authority to approve or deny registrar transfer requests, so the registrant name matters.

  2. Will we have the registrar login, not just DNS access? A vendor can manage DNS for you, but the registrar account controls renewal, transfer locks, nameservers, and authorization codes under ICANN’s registrar transfer framework.

  3. Who receives renewal, transfer, and ownership-change emails? Domain transfer approval depends on the registered holder and registrar process, which is why ICANN requires transfer processes to be clear and accessible to registered name holders.

  4. Can we unlock and transfer the domain without paying a website cancellation fee? ICANN policy allows registrants to transfer domains between registrars when the transfer meets policy requirements and is not otherwise prohibited.

  5. Are domain privacy, DNSSEC, and renewal settings documented? ICANN’s registrant education materials emphasize keeping registration data and domain contacts accurate, because outdated access can turn a routine move into an emergency.

2. Hosting and infrastructure

  1. Is hosting in our account or the vendor’s shared account? If hosting sits inside the vendor’s account, you may need their cooperation to access files, logs, backups, SSL settings, and DNS records.

  2. Can we get a full backup of files and database on demand? Genie AI’s SaaS contract guidance recommends explicit export rights, common formats, timeframes, and fees before signing.

  3. What happens to backups after cancellation? The same contract guidance recommends a post-termination access window, often 30 to 90 days, so you can move without losing business-critical data.

  4. Are server logs available if SEO, security, or analytics needs them? Logs help diagnose crawl issues, outages, redirects, bot traffic, and security incidents, and Google’s Search Central documentation repeatedly treats crawl access and server responses as core indexing signals.

  5. Can the site run on another host without rewriting it? If your site depends on proprietary hosting features, custom server rules, or hidden deployment scripts, leaving becomes a rebuild instead of a migration.

3. CMS and content portability

  1. Can every page, post, image, file, author, category, and redirect be exported? A useful export is not just text. It includes the pieces needed to rebuild the site without hand-copying hundreds of pages.

  2. Is the export in a common format like XML, CSV, JSON, Markdown, SQL, or a documented CMS format? SaaS portability guidance commonly recommends non-proprietary formats such as CSV, JSON, and XML.

  3. Do page builder layouts survive the move? Some builders store content inside shortcodes, proprietary blocks, or app-specific JSON, which can make exported content hard to reuse.

  4. Can we edit core pages without asking the vendor? If every content edit requires a support ticket, you own less operational control than the sales pitch suggests.

  5. Who owns custom code, components, templates, and design files? The answer should be written in the contract, because copyright, license rights, and usage rights are not the same thing.

  6. Are paid themes, fonts, images, plugins, and templates licensed to us or the vendor? If the vendor owns the license, cancellation may remove the legal right to keep using parts of the site.

  7. Can we receive the source files, not only the built site? For custom work, source files can include repository access, design files, component libraries, schema templates, and deployment instructions.

4. SEO and traffic protection

  1. Will we receive a complete URL list before and after launch? Google recommends mapping old URLs to new URLs during a site move, so you need the URL inventory.

  2. Will 301 redirects remain active after cancellation or migration? Google’s Change of Address documentation recommends keeping redirects for at least 180 days and keeping the old domain for at least a year.

  3. Can we export redirects in a reusable format? Redirects are business assets when rankings, backlinks, ads, email links, QR codes, and sales decks point to old URLs.

  4. Will we keep access to Google Search Console, Google Business Profile, analytics, tag manager, and ad accounts? Google’s Search Console Change of Address workflow requires verified properties, which means access can directly affect migration control.

  5. Who controls structured data, XML sitemaps, robots.txt, and canonical tags? Google’s site move documentation points to sitemaps, redirects, canonicalization, and crawlability as key migration signals.

  6. Does the vendor provide a migration support period? A real migration needs testing, redirect checks, index monitoring, analytics checks, and fixes after launch.

5. Forms, leads, CRM, and customer data

  1. Where do form submissions go first? If leads only live inside the vendor’s portal, cancellation can cut off history, notes, and attribution data.

  2. Can we export all form submissions with timestamps, page URLs, source fields, and consent fields? FTC negative-option rule materials show how much regulators care about consent, billing, and cancellation records in recurring relationships, and lead records can matter during disputes too.

  3. Do we control the CRM, email marketing platform, and appointment scheduler accounts? If those systems are bundled under the vendor’s account, the site is only one part of the lock-in.

  4. Can integrations be moved with API keys rotated safely? Good handoff includes API owners, webhook endpoints, OAuth apps, secret storage, and a plan to revoke old access.

  5. Is customer data deleted, retained, or transferred after termination? Genie AI recommends contracts specify post-termination access and deletion certification, especially when customer data is involved.

6. Contracts, billing, and cancellation

  1. Is the cancellation process as easy as the signup process? The FTC’s final Negative Option Rule requires simple cancellation mechanisms for recurring charges, and the FTC’s public summary calls this the “click-to-cancel” rule for subscriptions and memberships.

  2. Are auto-renewal terms, notice windows, and cancellation fees clear? The Federal Register rule prohibits misrepresentations of material facts and requires important information before obtaining billing information for negative-option programs.

  3. Is there a separate fee for exporting files, database, content, redirects, or customer data? Portability fees should be known before you sign, not discovered after the relationship goes bad.

  4. Can prices increase during the term? If the vendor can raise hosting, maintenance, plugin, or platform fees without a cap, the exit plan becomes your negotiating power.

  5. What support is included during offboarding? Offboarding should name deliverables, deadlines, formats, account transfers, access removal, and points of contact.

7. Performance, security, and dependencies

  1. Which third-party scripts are required for the site to function? The HTTP Archive 2025 Web Almanac found the median home page weighed 2.86 MB on desktop and 2.56 MB on mobile, so extra scripts are not a small technical detail.

  2. Can we remove vendor branding, tracking, or injected scripts? If the platform forces scripts you don’t need, you’re carrying performance, privacy, and maintenance overhead you don’t control.

  3. Who patches the CMS, plugins, server, and integrations? Website maintenance is an ownership issue because outdated software affects security, uptime, and customer trust.

  4. Do we get admin access with least-privilege roles? You should not need a vendor’s personal login to manage your own site, and the vendor should not keep broad access forever.

  5. Are passwords, recovery codes, DNS records, and API keys handed over securely? A clean handoff means credentials are transferred through a secure method, then rotated where possible.

8. Proof before you sign

  1. Can the vendor show a sample export before the contract is signed? A sample export proves whether “you own your content” means usable files or a pile of fragments.

  2. Can the vendor show a sample offboarding checklist? Mature vendors have a standard process because good clients sometimes outgrow them.

  3. Will the contract say that nonpayment disputes don’t allow the vendor to seize the domain, delete data, or disable critical access without notice? Your website is an operating asset, not a hostage note.

Red flags that should slow you down

The fastest way to spot lock-in is to listen for vague answers.

Watch for these:

  • “You don’t need access. We handle everything.”
  • “The platform is proprietary, but don’t worry about it.”
  • “Exports are possible, but we’ve never had anyone ask.”
  • “The domain stays in our account for convenience.”
  • “You can cancel anytime, but there is a migration fee we price later.”
  • “Search Console and analytics are under our master account.”
  • “If you leave, the site can’t be hosted anywhere else.”

None of those lines automatically means the vendor is bad. Sometimes a managed setup is exactly what a small team needs. But every one of them should lead to a written answer.

A simple scoring framework

Use this scoring system when comparing vendors.

Give each vendor 0, 1, or 2 points for each category:

  • 0 points: unclear, vendor-owned, proprietary, or expensive to leave
  • 1 point: partially portable, but requires vendor help or extra fees
  • 2 points: clearly owned by you, documented, exportable, and transferable

Score these 10 categories: domain, DNS, hosting, CMS, content export, design files, SEO assets, analytics accounts, form and CRM data, and cancellation terms.

A score below 10 means you are buying convenience with serious lock-in risk. A score from 10 to 15 means the deal may be fine if the business value is strong and the exit terms are written down. A score above 15 usually means the vendor respects ownership and has done this before.

The number isn’t magic. The conversation is the point. If a vendor gets defensive when you ask reasonable ownership questions, that’s useful information.

What a fair website handoff should include

A fair handoff doesn’t mean the vendor gives away trade secrets or unpaid work. It means the client can keep operating the business asset they paid for.

At minimum, ask for:

  • Domain registrar access, DNS records, hosting access, SSL details, CMS admin access, and a current backup
  • Exported content, media library, redirects, sitemap, robots.txt, schema notes, analytics access, tag manager access, and Search Console ownership
  • Source files or agreed usage rights for templates, custom code, design files, paid assets, licenses, API keys, form data, CRM data, and integration documentation

If a vendor won’t provide those, the lower monthly price may not be a bargain. It may be a down payment on a future rebuild.

FAQ

Is vendor lock-in always bad?

No. A hosted website builder, managed hosting plan, or agency maintenance plan can be a smart choice when it saves time and reduces technical work. The risk starts when you don’t know what happens if pricing changes, service quality drops, or your business needs a different setup.

Should a small business own its domain directly?

Yes. Let the vendor manage DNS if needed, but keep the registrar account and legal registrant details under your business control. ICANN’s transfer policy gives the Registered Name Holder authority over transfer approval, so domain ownership is not a paperwork detail.

Is WordPress less locked-in than Wix, Squarespace, Shopify, or Webflow?

It depends on the setup. WordPress has the largest CMS footprint on the web, and its open-source model can make migration easier. But a WordPress site can still be locked into agency-owned hosting, paid plugins, custom builders, or missing source files. Hosted platforms can be less portable, but their managed systems may be worth it if the exit terms are clear.

What should I ask before signing a website-as-a-service contract?

Ask who owns the domain, whether content and data can be exported, what happens after cancellation, which accounts you control, how redirects are preserved, and whether there are offboarding fees. If the answers are verbal, ask for them in the contract.

What if I’m already locked in?

Start with access. Get registrar access, CMS admin access, hosting access, analytics ownership, Search Console ownership, a full backup, and an export of forms and leads. Then document dependencies before canceling anything. Google recommends careful planning for site moves with URL changes, and rushed migrations are where traffic gets lost.

Want a website you actually own?

Your website should be easy to operate, easy to improve, and possible to move without starting from zero.

If you’re comparing vendors, cleaning up a messy setup, or planning a rebuild, start here. We’ll help you build a site that brings in leads without trapping your business behind someone else’s login.