How to Choose a REDCap Hosting Provider: 7 Questions to Ask Before You Sign

The market for REDCap hosting is small but growing — and not all providers are created equal. Some understand the REDCap ecosystem deeply. Others are general IT shops who've added REDCap to their service list without understanding the licensing complexities or compliance requirements. Choosing the wrong provider can create HIPAA exposure, violate your Vanderbilt license, or leave you without recourse when something breaks during an active data collection window. These seven questions will separate the qualified providers from the rest.

Question 1: Do Your Staff Have Access to Our REDCap Software or Source Code?

This is the most important question you can ask — and many institutions never think to ask it.

Vanderbilt's REDCap consortium license is explicit: the technical staff managing REDCap must be employees of the licensed institution. The hosting provider cannot access the REDCap source code or the REDCap installation itself. If a provider's staff are configuring REDCap, building instruments, or performing REDCap administration on your behalf, they are almost certainly violating Vanderbilt's license terms — and so are you.

The correct answer from a legitimate provider is: "No. We manage the server infrastructure. Your team manages REDCap itself. We have no access to your REDCap installation or source code."

Question 2: Will You Sign a Business Associate Agreement?

If your REDCap environment will ever touch Protected Health Information — and for most research programs, it will — a signed BAA with your hosting provider is a HIPAA requirement, not a nice-to-have.

A BAA defines each party's obligations under HIPAA, establishes what the Business Associate (the hosting provider) can and cannot do with PHI, and creates legal accountability if a breach occurs. Without a BAA, your organization is exposed.

Any credible REDCap hosting provider should be able to produce a BAA immediately and without hesitation. If a provider hedges, charges extra for a BAA, or says "we support HIPAA but don't do BAAs," move on.

Question 3: What Does Your Infrastructure Actually Look Like?

"HIPAA-compliant hosting" is a phrase that gets used loosely. Push for specifics:

• Is data encrypted at rest? What encryption standard?
• Is data encrypted in transit? (TLS 1.2 or higher)
• What are your power redundancy arrangements? (UPS, generator backup?)
• What network redundancy do you have? (Multiple ISPs, BGP routing?)
• Is this shared infrastructure or dedicated hardware?
• Where is the data center physically located?
• Do you have 24/7 monitoring and incident response?

A provider who can answer these questions in detail is a provider who actually understands what they're running. Vague answers like "we use AWS" or "we follow best practices" are red flags.

Question 4: What Is Your Uptime SLA and How Is It Enforced?

REDCap environments supporting active data collection — particularly longitudinal studies, clinical trials, or time-sensitive surveys — cannot afford unplanned downtime. An uptime SLA (Service Level Agreement) defines what the provider commits to and what happens if they fall short.

Ask specifically:

• What is your committed uptime percentage? (99.9% means ~8.7 hours of downtime per year)
• How is downtime calculated? (Scheduled maintenance windows often don't count)
• What is the remediation if you miss the SLA? (Credits? Termination rights?)
• How much advance notice do you provide for scheduled maintenance?

Question 5: Who Owns Our Data and How Do We Get It Out?

Your data is yours. This should be obvious, but your contract should make it unambiguous. Some hosting agreements include language that gives the provider broad rights over data stored on their infrastructure, or create friction around data portability when you want to leave.

Before signing, confirm:

• The agreement explicitly states that all data is owned by your organization
• You can export your complete REDCap data at any time without restriction
• Upon termination, the provider will delete all copies of your data within a defined timeframe and confirm in writing
• There are no "data retrieval fees" or exit barriers

Question 6: Do You Understand the REDCap Ecosystem?

REDCap has quirks that general IT providers won't know about: the consortium license process, the Community platform, the specific server requirements (Linux/Apache/MySQL/PHP stack), the upgrade cadence, known compatibility issues, and the difference between a standard deployment and one configured for 21 CFR Part 11 compliance.

Ask the provider:

• How many REDCap environments have you deployed?
• Are you familiar with the Vanderbilt consortium license process?
• Have you managed REDCap version upgrades before? What does that process look like?
• Have you worked with institutions similar to ours?

A provider who has never deployed REDCap before will learn on your time — and your dime. Demonstrated experience with the specific platform matters.

Question 7: What Does Pricing Look Like as We Grow?

This question reveals a lot about a provider's business model and how well it aligns with yours.

Per-project pricing (like REDCap Cloud) punishes institutional growth — every new study adds to the monthly bill. Flat-rate pricing grows with you without penalizing research activity. Ask:

• Is pricing per-project or flat rate?
• Are there caps on the number of projects, users, or records?
• What happens to pricing if our usage doubles?
• Are there annual contract discounts?

For any institution running more than two active REDCap projects, flat-rate hosting is almost always the better economic choice.