The relationship between a UK small business and its freelance developer often begins with enthusiasm and ends with ambiguity. The developer builds something useful, the business grows around it, the contract concludes — and somewhere in the transition, a quiet problem takes root. The hosting account is still registered to the developer's personal email address. The domain was renewed last year on their credit card. The cloud services dashboard is accessible only through login credentials that left with them when they did.
This is not a rare edge case. It is one of the most common and least discussed infrastructure vulnerabilities affecting UK SMEs today.
How the Problem Is Created
Freelance developers, by the nature of their working arrangements, tend to move quickly and independently. When engaged to build or maintain an application, they will often provision the infrastructure they need using whatever approach is most convenient — which typically means using their existing accounts with hosting providers, cloud platforms, and domain registrars they already have relationships with.
From the developer's perspective, this is practical efficiency. From the business's perspective, it is the inadvertent transfer of ownership and control over critical infrastructure to a third party who has no long-term obligation to the organisation.
The problem is compounded by the fact that many UK SMEs engaging freelancers lack the internal technical knowledge to specify otherwise. If the website works, the application runs, and the invoices are reasonable, there is rarely an obvious prompt to ask who actually owns the accounts underpinning it all. The question only becomes urgent when something goes wrong — or when the developer becomes unreachable.
The Legal and Operational Consequences
When a freelance contractor departs and takes effective control of business infrastructure with them, the consequences span several distinct categories of risk.
Operational continuity is the most immediately obvious concern. If a domain registration lapses because the renewal notification is going to an email address the business cannot access, the consequences range from temporary service disruption to permanent loss of a domain name that has accumulated years of search engine authority and customer recognition. Recovering a lapsed domain — particularly one that has been acquired by a third party — is neither straightforward nor guaranteed.
Security exposure is equally serious. Hosting accounts and cloud services registered under personal credentials may not be subject to the same access controls, multi-factor authentication policies, or offboarding procedures that a properly managed business account would require. A departed contractor who retains access — whether intentionally or simply because no one thought to remove it — represents an unresolved vulnerability in your security posture.
Data protection obligations add a further layer of complexity. Under UK GDPR, your organisation is responsible for the personal data it processes, regardless of where or by whom the infrastructure holding that data was provisioned. If customer data sits within a hosting environment registered to a former contractor, your ability to demonstrate lawful control over that data — or to respond effectively to a Subject Access Request or deletion obligation — is materially compromised.
Commercial leverage is perhaps the least discussed risk. A contractor who retains control of a business-critical domain or hosting environment is in a position of significant power, whether or not they choose to exercise it. Most departures are amicable, and most former contractors will cooperate with a transfer request. But cooperation is not guaranteed, and businesses that find themselves negotiating from a position of dependency are at an obvious disadvantage.
The Audit Your Business Needs to Conduct Now
Identifying the extent of your contractor footprint requires a systematic review of your infrastructure estate. This is not always straightforward, but it is considerably less painful than discovering the problem during a crisis.
Begin by cataloguing every domain your business operates, and verifying the registrant contact details associated with each one through the relevant WHOIS registry. Any domain registered to an individual rather than your business entity warrants immediate attention.
Extend the same scrutiny to hosting accounts, cloud platform subscriptions, SSL certificate authorities, email service providers, DNS management interfaces, and any third-party service integrated into your application stack. For each service, confirm that the primary account holder is the business — not an individual — and that billing, renewal notifications, and administrative access are all tied to business-controlled contact details.
Document the access credentials and account structures for every service identified. Where accounts are registered to former contractors, initiate transfer or migration processes before those accounts become inaccessible.
Reclaiming Control: The Practical Steps
Where a contractor is still reachable and the departure was amicable, the transfer process is typically straightforward. Most hosting providers and domain registrars have documented account transfer procedures, and a professional request — accompanied by evidence of the business relationship — will generally be sufficient.
Where a contractor is unreachable, uncooperative, or where the business cannot establish the credentials needed to initiate a transfer, the process becomes more complex. Domain registrars have dispute resolution procedures, and organisations such as Nominet — which manages the .uk and .co.uk registries — maintain formal dispute resolution services for cases where ownership is contested. However, these processes take time and carry no guarantee of a swift outcome.
For cloud and hosting accounts, the path is often more difficult, as providers are understandably cautious about transferring account control without clear authorisation. Businesses in this position should engage their legal counsel early, gather any contractual documentation that establishes the intended ownership of the infrastructure, and be prepared for a process that may take weeks.
Prevention Is Considerably Cheaper Than Recovery
The most effective approach to the contractor footprint problem is to prevent it from forming in the first place. Businesses engaging freelance developers should include explicit provisions in their contracts requiring that all infrastructure be provisioned under business-owned accounts, with business-controlled credentials and billing arrangements.
This should be accompanied by a formal handover process at the conclusion of any engagement — one that specifically includes a documented inventory of all infrastructure provisioned during the contract, along with confirmation that access has been transferred and any personal account associations removed.
For businesses that have been operating without these safeguards, the time to conduct the audit is before a renewal lapses, before a security incident occurs, or before a contractor becomes impossible to contact. The infrastructure your business depends upon should be owned — unambiguously and verifiably — by your business.
