Just something I'm curious about as I can totally imagine it happening in the real world.
Let's say that Healthcorp is a medical services provider of some kind, and as such are required to keep certain records for a certain amount of time. They sign a contract with Archivetopia to keep safe all the records that they absolutely have to hold onto. However, the guy that used to work at GitLab got hired for Archivetopia, and he accidentally deletes a ton of entries from their database, which included Healcorp's records, and there is no way to recover any of it. Then, Healthcorp gets subpoena'd, so they call up Archivetopia only to find out they can't produce the records they need.
Who is liable in this case?
Healthcorp is still liable, you can subcontract a job, but uou can't subcontract the responsibillity.
What I mean is that Healthcorp should have procedures to test the backup, and as soon as it failed, they should inform the government.
It can also be asked, why Healthcorp only had one backup of the data, when it is best practice to have a 3-2-1 backup system, if Archivetopia offered a service as a 3-2-1 solution, why didn't Healthcorp select that? If they did why didn't they verify the claims of the service?
At the end, Healthcorp would get hit with a fine, but they in turn could sue Archivetopia for breach of contract.
I'm not a lawyer, but I think this would be on archivetopia. I think the question would be whether healthcorp had taken reasonable care to preserve these records, or had been negligent by leaving them entirely in the hands of archivetopia. It seems to me that the former would be the case, and that archivetopia has failed to appropriately safeguard those files, if a random employee can delete them without any procedures in place to prevent that or to keep additional backups.
Obviously there are multiple points of failure here - any one out of healthcorp, archivetopia, or the employee could have acted differently to prevent this. But if healthcorp had a reasonable expectation that handing these documents over to archivetopia would meet their obligations to preserve them, they should be in the clear - just as they would be if their document warehouse met all health and safety regulations but somehow burned down anyway. In both cases, they did what they could but events beyond their control resulted in data loss. In both cases, there is still a question about reasonable care: Did their warehouse meet all safety requirements? Did they have good reason to believe that these documents would be safe with archivetopia? If the answer to those questions is no, they are still at fault. If yes, they are in the clear.
On top of this, archivetopia is certainly at fault (multiple parties may be in the wrong here). And of course, the employee is at fault, although I don't know if they'd be legally culpable or if it would be an internal matter.
Not a conclusive answer, but I hope this helps to clarify some of the considerations involved.