Who is legally on the hook when a third-party vendor or cloud provider loses our governed records?
When you outsource storage or processing to a third-party vendor or cloud provider, you can delegate the work of managing records, but you generally cannot delegate the responsibility for them. The organization that creates, owns, or is legally required to keep the records remains accountable for their integrity, availability, and proper disposition.
Accountability stays with the record owner
A core principle of records management is that the organization remains the accountable steward of its records throughout their lifecycle, regardless of where they physically reside. International guidance such as ISO 15489 frames this as an ongoing organizational responsibility, not something that transfers to a service provider. Practically, that means:
- Regulators, courts, and oversight bodies look first to your organization when records are lost, altered, or improperly destroyed.
- Statutory recordkeeping duties (tax, employment, privacy, public-records, and similar obligations) attach to the regulated entity, not its contractors.
- For government agencies, recordkeeping and disposition obligations follow the agency even when systems are hosted externally.
Vendors can share liability — by contract
A vendor is not free of exposure. Its responsibilities are defined largely by the contract, plus any duties imposed by data-protection or sector law. Well-drafted agreements typically address custody, security controls, breach notification, audit rights, data return at termination, and indemnification. If a provider breaches those terms or applicable law, you may have recourse against it. But that recourse is a private remedy between the parties; it does not erase your own duties to regulators or affected individuals.
How to manage the risk
- Do due diligence before signing, and re-assess periodically.
- Spell out roles in the contract: who controls, processes, secures, and disposes of records.
- Require evidence: certifications, audit reports, breach-notification timelines, and the right to inspect.
- Plan for exit: ensure you can retrieve records in usable formats if the relationship ends.
- Keep oversight in-house: assign clear internal ownership; outsourcing operations does not outsource governance.
The bottom line: contracts allocate liability between you and your vendor, but accountability to regulators and the public usually stays with you. Treat vendor and cloud relationships as a governed extension of your own program. See more under /topics/information-governance/.
This is general educational information, not legal advice; consult counsel for your specific obligations.
Sources & further reading
Authoritative government and non-profit references.
- ISO 15489-1 Records management — ISO
- Records management policy and guidance — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). Who is legally on the hook when a third-party vendor or cloud provider loses our governed records?. Records Management University. https://www.recordsmgmt.org/questions/who-is-liable-when-a-vendor-or-cloud-provider-loses-our-records/
MLA
RM University Editorial. "Who is legally on the hook when a third-party vendor or cloud provider loses our governed records?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/who-is-liable-when-a-vendor-or-cloud-provider-loses-our-records/.
Related questions
- Big-bucket vs item-level retention schedules: how do I choose between them?
- Can a company be penalized for keeping data too long under privacy laws even if nothing was breached?
- Can a US company store records in the EU, or do data localization and cross-border transfer rules block it?
- Can executives or board members be held personally liable for information governance failures?
- Can information governance help reduce cloud storage costs, and how?