Navigating Risks Through Contracts: Lessons for Indian SaaS Companies from Third-Party Infrastructure Failures

For Indian SaaS businesses, reliance on global cloud, security, and content delivery providers is often unavoidable. However, it is also a source of significant downstream legal risk as infrastructure outages can disrupt customer-facing services and expose them to downstream liability, even when the cause lies outside their own operations and systems.

This article explores how carefully negotiated force majeure clauses, well-aligned service level agreements (SLAs), service assurances regarding recovery time and data loss, and other proactive risk management strategies can help Indian SaaS companies protect themselves from the downstream legal and business risks that may arise when critical vendor infrastructure fails.

Why infrastructure Outage Matters to Indian SaaS Companies

The recent example of Cloudflare outage demonstrates how failures within a vendor’s systems can cause widespread service disruption. For SaaS companies, when a foundational service fails, customer-facing platforms are impacted instantly, even though the SaaS provider itself may have complied with all internal controls. In such scenarios, legal exposure does not depend on fault alone. It depends on what the relevant contracts say, and more importantly, what they exclude.

Force Majeure Clauses: Broad Protection, Limited Remedies

Most infrastructure and cloud service agreements include expansive force majeure provisions. These clauses excuse performance for events beyond the reasonable control of parties. However, these days even system failures and network disruptions are included in this definition. This means that even where an outage originates within the vendor’s systems due to a technical error, the vendor’s liability may still be contractually excluded. From a legal standpoint, this shifts the risk downstream to SaaS companies, who remain accountable to their own customers unless they also exclude such liability in their customer contracts.

Key takeaway:

SaaS companies should examine force majeure definitions carefully to ensure that vendor errors are not excluded from liability.

Service Level Agreement (SLA) and Liability Gaps

SaaS companies usually operate within a layered service delivery structure in which infrastructure, hosting, networking, and security services are procured from third-party vendors, while performance commitments are independently made to customers. Contractual risk arises when service level commitments across these layers are misaligned, for instance, where an infrastructure vendor commits to 99.5 percent uptime, while the SaaS company commits to 99.9 percent uptime to its enterprise customers. In such a scenario, even if there is an outage at the vendor’s end, the vendor may still be fully compliant with its uptime SLA. Yet the SaaS company may be exposed to customer claims for breach of its SLA. In such cases, the SaaS provider effectively assumes liability for the gap between upstream commitments from its vendors and downstream contractual standards promised to its customers.

Key takeaway:

SaaS companies must closely review the upstream SLAs provided by their vendors and align them with the SLA commitments they make to their own customers, to ensure that there are no liability gaps that could leave them exposed to claims for breach of service levels.

RPO and RTO: The Overlooked Risks

A related and often overlooked aspect while negotiating uptime SLAs is the importance of securing  express commitments regarding Recovery Point Objective (RPO) and Recovery Time Objective (RTO) metrics. These metrics define acceptable limits for data loss and the maximum recovery time for services in the event of an outage. While a service may technically meet uptime targets calculated on monthly basis, there may be outages that extend beyond the acceptable levels of data loss or downtime, particularly for regulated sectors such as financial services. To mitigate this, SaaS companies should seek RPO and RTO commitments from their vendors, independent of uptime SLAs.

Key takeaway:

SaaS companies should obtain robust RPO and RTO commitments from their vendors that are commensurate with their business risks related to downtime and data loss.

Proactive Risk Management

For business-critical services, contractual risk management cannot rely solely on post-incident remedies. Vendor agreements should include affirmative obligations on vendors to conduct periodic disaster recovery drills, test their failover capabilities, and provide written reports evidencing their compliance and remediation posture. Such provisions serve as forward-looking risk controls and are particularly important in regulated and data-sensitive sectors.

Key takeaway:

For business-critical services, SaaS companies should ensure that vendor contracts mandate affirmative obligations for proactive risk management.

Conclusion

The central lesson is that Infrastructure dependency is not merely a technical issue. It requires careful consideration of how risk is allocated through contractual clauses. Ensuring alignment between upstream vendor commitments and downstream obligations to customers is essential. Where SaaS companies commit to performance standards that exceed what their vendors are contractually required to deliver to them, they may be assuming operational and financial exposure. Infrastructure outages are foreseeable events, and true legal risk lies not in the outage itself, but in how responsibility for its consequences is contractually allocated.

Outages are inevitable. The differentiator will be whether companies have anticipated them contractually and operationally.