Choosing a web host used to be a decision about speed and price. For Canadian businesses, it has become a compliance decision too. Provincial privacy laws are tightening. Clients and patients are asking where their data is stored. Professional regulators are paying closer attention to how member firms handle personal information online.
If you are evaluating hosting providers, these five questions will tell you most of what you need to know. The answers separate hosts that have thought about these issues from hosts that have not.
1. Where are your servers, physically?
Not “where is your company headquartered.” Where are the actual servers that store my website files, database, and backups?
A surprising number of Canadian hosting companies resell infrastructure from American cloud providers. The company is in Canada. The marketing says Canadian. The servers are in Virginia or Oregon. Your customer data is subject to US law, including the CLOUD Act, which allows US authorities to compel access to data stored on American servers regardless of who owns it.
The answer you want is a specific Canadian city and data centre. Montreal, Toronto, Vancouver, or another identifiable facility. If the host cannot name the location, or if they refer vaguely to “North American infrastructure,” keep asking.
For a deeper look at why physical server location matters under Canadian privacy law, we covered this in detail: Where Is Your Website Actually Hosted?.
2. What happens when my site gets hacked?
Not if. When. WordPress is the most targeted content management system on the internet, and no security setup eliminates risk entirely. What matters is what your hosting provider does when something gets through.
Some hosts will suspend your account if malware is detected. That protects their other customers. It does not help you. You are left to find a security firm, pay for a cleanup, verify the site is safe, and then ask the host to reinstate your account.
A host worth paying for runs server-level malware scanning that catches most infections before you notice them, and handles the cleanup when something slips through. That should be part of the service, not a billable emergency.
Ask specifically: “If my site is compromised, do you handle the remediation, and is it included in my plan?”
3. How often do you back up my site, and how far back can I restore?
This is the question that reveals the most about a hosting provider’s infrastructure.
A weekly backup with seven days of retention is the industry minimum, and it is not enough. If your site is hacked on Monday and you do not notice until the following Thursday, every backup in the rotation may already contain the malware. You are restoring a compromised copy.
Look for daily backups at minimum. Retention should be measured in months, not days. And restores should be granular: you should be able to restore just the database, or just the files, without overwriting the entire site.
The follow-up question is where the backups are stored. Backups on the same server as your site are not real backups. If the server fails, you lose both the site and the backup. Off-site storage, ideally at a separate data centre, is the standard you should expect.
4. Can you provide a Data Processing Agreement?
If your website collects personal information through contact forms, appointment bookings, newsletter signups, or customer accounts, you are processing personal data. Under PIPEDA, you are accountable for how that data is handled, including by third parties like your hosting provider.
A Data Processing Agreement sets out in writing what data the host processes on your behalf, how it is protected, what happens in the event of a breach, and what rights data subjects have. If you serve clients in the EU, a DPA is required under GDPR. In Canada, it is increasingly expected as a baseline for any business handling personal data.
Ask your host for their DPA. If they do not have one, or if they do not know what you are asking for, that tells you how seriously they take their role as a data processor.
For businesses in healthcare, legal, or financial services, this is not optional. Your professional regulator, your insurer, or your clients may require you to demonstrate that your hosting provider has appropriate data handling agreements in place.
5. What does “managed” actually mean in your plan?
The word “managed” appears on the marketing pages of nearly every hosting company. It means vastly different things depending on who is using it.
At one end of the spectrum, “managed” means WordPress was pre-installed for you. At the other end, it means a team handles your server, applies WordPress and plugin updates, monitors security, manages backups, configures caching, and provides technical support for WordPress issues, not just server issues.
The question to ask is what happens when you have a WordPress problem. If a plugin update breaks your site at 11 PM on a Friday, does the support team fix it, or do they tell you to contact a developer? If your site slows down after a traffic spike, does the host investigate and resolve it, or do they tell you to upgrade your plan?
The level of support you need depends on your team. If you have a developer on staff who handles WordPress maintenance, a less managed host may be fine. If your WordPress site is a business tool and nobody on your team manages it day to day, the support scope of your hosting plan is one of the most important things to evaluate.
We wrote a detailed breakdown of what “fully managed” should include: What “Fully Managed WordPress Hosting” Actually Means.
Use the answers, not the marketing
Every hosting provider’s website says they are fast, secure, and reliable. The five questions above cut through the marketing and get to the operational reality. A host that can answer all five clearly and specifically is a host that has built their infrastructure with intention. A host that stumbles on any of them is telling you where their gaps are.
Write the answers down. Compare them side by side. The right host for your business will be obvious.
