What Is an Application Service Provider? Definition, Examples & ASP vs SaaS

An application service provider (ASP) is a company that hosts, operates, and maintains a software application on its own infrastructure and lets customers access that application remotely over the internet on a subscription basis. Rather than installing the software on their own servers, customers pay a recurring fee and reach the application through a browser, thin client, or remote-access protocol — eliminating the cost, complexity, and operational burden of running the software themselves.

This guide covers the formal definition, how ASPs differ from Software-as-a-Service (SaaS) and managed service providers, named examples across industries, compliance implications under HIPAA and SOC 2, and a six-point framework for evaluating one.

The formal definition of an application service provider

The original ASP definition, used by analysts and procurement frameworks since the late 1990s, is "a third-party entity that manages and distributes software-based services and solutions to customers across a wide-area network from a central data centre." Three characteristics make a provider an ASP rather than a software vendor or generic IT consultancy:

• Centralised hosting. The application runs on the provider's infrastructure (their own data centres or a cloud platform they operate on the customer's behalf) rather than on customer-owned equipment.
• Remote, networked access. Customers reach the application over the internet, a private connection, or a virtual desktop — never via a locally-installed binary they own.
• Subscription commercial model. Customers pay an ongoing per-user, per-seat, or capacity-based fee that covers software licensing, hosting, support, updates, and security operations — not a one-off perpetual licence.

Although the ASP label originated in the dial-up and early-broadband era as an alternative to on-premises ERP, CRM, and accounting software, it remains the formal classification used in many regulatory and procurement contexts today — particularly in healthcare (HIPAA business-associate agreements), finance (SOC 2 Type II reports), and government procurement (where the "Application Service Provider" line-item still appears in pricing schedules).

ASP vs SaaS: the technical and commercial distinction

The terms "application service provider" and "Software-as-a-Service (SaaS) provider" are often used interchangeably, and from a buyer's perspective they often feel identical — pay a subscription, log in, get a working application. But there is a meaningful technical and commercial distinction that matters in procurement, compliance, and data-residency conversations.

In casual conversation the labels overlap. In a procurement document, the distinction matters because the ASP model triggers different contractual obligations: an ASP customer typically retains rights against the underlying software vendor (the ASP is hosting their licence of someone else's product), whereas a SaaS customer's relationship is entirely with the SaaS vendor. This affects exit clauses, IP indemnity, and version-rollback rights — all worth checking explicitly before signing.

ASP vs MSP vs CSP: how they differ

An application service provider sits in the broader category of service providers, alongside managed service providers (MSPs) and cloud service providers (CSPs). The three categories often blur, but the responsibility boundaries differ:

• Cloud Service Provider (CSP) — operates the underlying infrastructure (compute, storage, network, platform services). Customers consume raw resources or managed primitives. Examples: AWS, Microsoft Azure, Google Cloud Platform.
• Managed Service Provider (MSP) — operates the customer's IT or cloud environment as a whole, under an SLA. Responsible for uptime, security, patching, and incident response across an estate. Examples: Opsio, Accenture, Rackspace.
• Application Service Provider (ASP) — hosts and operates a specific packaged application that the customer accesses remotely. Responsible for the application's availability and performance for its users. Examples: hosted SAP providers, hosted Microsoft Dynamics partners, hosted legacy ERP operators.

A single engagement can involve all three: the CSP operates the cloud, the MSP runs the customer's infrastructure inside the cloud, and the ASP hosts a specific business application within that infrastructure. Modern delivery often consolidates the MSP and ASP roles within one supplier.

Common examples of application service providers

The named examples below cover the most common ASP categories seen in mid-market and enterprise procurement today:

• Enterprise resource planning (ERP) — hosted SAP S/4HANA partners, hosted Oracle E-Business Suite providers, Microsoft Dynamics 365 hosting partners, hosted Sage and IFS deployments.
• Healthcare — hosted Epic and Cerner electronic-health-record deployments (often via Epic Connect or Cerner CommunityWorks), hosted Allscripts and Meditech instances. Each contract is structured under HIPAA business-associate-agreement terms.
• Finance and accounting — hosted QuickBooks Enterprise, hosted Sage Intacct, hosted MYOB Advanced, and the historic hosted-Microsoft-Office Application Service Provider providers.
• Virtual desktop and application-streaming ASPs — Citrix Service Providers, VMware Horizon partners, AWS WorkSpaces resellers, Azure Virtual Desktop hosting specialists.
• Industry-specific verticals — hosted legal practice management (Clio, Aderant), hosted construction and project software (Procore partners), hosted hospitality property-management systems.

The biggest pure-play ASPs are not household names because they typically operate in vertical or regional niches; in most enterprise procurement they appear as the "hosted <product>" provider rather than under the ASP label.

How ASPs are priced

ASP pricing typically combines two layers: the underlying software licence (which the ASP either passes through at cost-plus or bundles into the subscription) and the hosting + operations fee. The most common pricing models:

• Per-user, per-month — most common for office productivity, CRM, and HR applications.
• Per-seat plus capacity — common for ERP and EHR, where a base "named user" fee is combined with infrastructure-tier pricing tied to data volume or transaction load.
• Capacity-based — used for high-volume transactional applications where seat counts are less meaningful (e.g. e-commerce platforms, payment-processing back ends).
• Cost-plus — pass-through hosting and licensing costs with a managed-services margin on top, common in highly customised or low-volume vertical ASPs.

Total-cost-of-ownership analysis for an ASP engagement should always include the underlying software licences, hosting infrastructure, integration and onboarding fees, and the cost of switching providers at contract end (data migration, parallel running, knowledge transfer). The most common surprise on the buyer side is exit cost rather than ongoing run cost.

Compliance implications of using an ASP

Because an ASP processes customer data on its own infrastructure, the customer's compliance obligations extend through the ASP contract. The three frameworks that come up most often in ASP evaluations:

• HIPAA — any ASP that touches protected health information (PHI) on behalf of a covered entity is a business associate under HIPAA and must execute a Business Associate Agreement (BAA). Hosted EHR providers are the classical example.
• SOC 2 Type II — the de facto baseline for any ASP serving regulated industries or enterprise customers. The relevant trust-services criteria are Security (always), and usually Availability, Confidentiality, and Processing Integrity. SOC 2 Type II requires a 6–12 month audit window with continuous evidence collection.
• ISO 27001 + ISO 27017 — increasingly the European baseline. ISO 27001 covers the ASP's information-security management system; ISO 27017 adds cloud-services-specific controls (controls related to cloud-customer responsibility boundaries, virtualisation security, and the secure handling of customer assets in a shared cloud).

For ASPs operating in the EU or processing EU personal data, GDPR Article 28 governs the processor relationship and the data-processing agreement (DPA) is a separate contractual document from the master services agreement. Always check that both the BAA / DPA and the underlying compliance certifications are current — not "in progress" or "expected next quarter".

How to choose an application service provider

ASP engagements tend to be longer and stickier than generic SaaS subscriptions (3–5 year contracts are typical, and exit costs are real). The six-point framework below covers what matters most in selection:

1. Depth of expertise in the specific application. A hosted SAP provider whose engineers are SAP-certified, with named references in your industry, is materially different from a generic IT firm that "also hosts SAP". Ask for engineer-level certifications and reference deployments matching your scale.
2. SLA structure on application availability, not just infrastructure. Many ASP contracts SLA only the underlying infrastructure (99.9% server uptime) while the application itself is excluded. Insist that the SLA measures end-user application availability and that excluded windows (planned maintenance, vendor-driven outages) are bounded in writing.
3. Compliance posture relevant to your industry. For ASPs touching regulated data — verify current SOC 2 Type II (not Type I, not "in process"), HIPAA BAA willingness, and any industry-specific certifications (FedRAMP, PCI DSS, ISO 27017, IRAP).
4. Data ownership, residency, and portability. Where will your data physically live? Which jurisdictions have legal access to it? On contract termination, in what format can you extract it, and within how many days? Get all three answered in writing before signing.
5. Integration with your existing identity, monitoring, and data stack. Modern ASPs should support SAML / OIDC single sign-on, SCIM provisioning, exportable application logs, and APIs for your data pipeline. Lack of any of these signals an ASP built for an earlier era.
6. Exit terms. Get explicit, written answers on data-extraction format, transition-services rates per day, runbook handover scope, knowledge-transfer period, and termination-for-convenience notice period. The cost of unwinding a poorly-chosen ASP is consistently the largest line item in this category of mistakes.

Frequently asked questions

What is the definition of an application service provider?

An application service provider (ASP) is a company that hosts, operates, and maintains a software application on its own infrastructure and provides remote access to that application for customers on a subscription basis. The customer pays an ongoing per-user or capacity-based fee rather than purchasing a perpetual software licence; the ASP handles hosting, support, security, and ongoing updates. The model originated in the late 1990s and is still used today, particularly for hosted ERP, EHR, and vertical-industry applications.

What is an application service provider in simple terms?

An application service provider is a company that runs software for you, on their servers, and lets you log in over the internet to use it — rather than you installing and maintaining the software yourself. You pay a monthly or annual subscription that covers the software, the servers, the support, and the security operations. Common examples include hosted accounting systems, hosted electronic health records, and hosted enterprise resource planning applications.

What is the difference between an ASP and SaaS?

A Software-as-a-Service (SaaS) provider builds and operates its own purpose-built multi-tenant application (e.g. Salesforce, Workday). An application service provider (ASP) hosts a third-party packaged application on customers' behalf, often single-tenant, often allowing deep customisation of the underlying product. From a buyer's perspective the difference rarely matters operationally, but it matters in contract terms (IP indemnity, vendor relationships, customisation rights) and compliance terms (which party is the data processor and which is the data controller). In casual usage the labels are often used interchangeably.

What are some examples of application service providers?

Common examples include hosted SAP, hosted Oracle E-Business Suite, hosted Microsoft Dynamics 365, and hosted Sage in the ERP category; hosted Epic and Cerner deployments in healthcare; hosted QuickBooks Enterprise and Sage Intacct in finance; virtual-desktop and application-streaming ASPs built on Citrix, VMware Horizon, AWS WorkSpaces, or Azure Virtual Desktop; and vertical specialists like hosted legal practice management (Clio, Aderant) and hosted construction software (Procore partners). The biggest ASPs are typically regional or vertical specialists rather than household names.

Are application service providers still relevant today?

Yes — the formal "application service provider" classification still appears in regulatory frameworks (HIPAA, SOC 2), government procurement (where ASP is a line-item category), and enterprise contracts for hosted versions of packaged software. The category has also evolved: many modern ASPs deliver virtual-desktop and application-streaming services, hosted enterprise applications on hyperscale cloud, and managed legacy systems that have not been rewritten as native SaaS.

What is the difference between an ASP and a managed service provider?

An ASP hosts a specific software application and is responsible for that application's availability for its users. A managed service provider (MSP) operates a broader IT or cloud environment under an SLA — infrastructure, networks, security, end-user computing — and may host multiple applications within that environment. A single engagement can include both: the MSP runs your cloud, and an ASP within that environment hosts a specific business application. Modern enterprise delivery often consolidates the two roles within one supplier. See our breakdown of service providers for the full taxonomy.

What compliance certifications should an application service provider have?

The baseline expectations vary by industry: SOC 2 Type II is the de facto baseline for any ASP serving regulated industries or enterprise customers; HIPAA business-associate agreement is required for any ASP touching protected health information; PCI DSS Level 1 is required for ASPs handling cardholder data; ISO 27001 (and increasingly ISO 27017 for cloud-services controls) is the European baseline; and FedRAMP authorization is required for ASPs serving the U.S. federal government. Always verify that certifications are current and not "in process" before signing.

How do application service providers charge?

The most common ASP pricing models are per-user-per-month (common for productivity, CRM, and HR applications), per-seat plus capacity (common for ERP and EHR where a named-user fee combines with infrastructure-tier pricing), capacity-based (used for high-volume transactional applications), and cost-plus (common in highly customised vertical ASPs). Total cost of ownership should always include underlying software licences, infrastructure, integration and onboarding fees, and the cost of exit — which is typically the largest surprise line item for buyers.