Just something I'm curious about as I can totally imagine it happening in the real world.
Let's say that Healthcorp is a medical services provider of some kind, and as such are required to keep certain records for a certain amount of time. They sign a contract with Archivetopia to keep safe all the records that they absolutely have to hold onto. However, the guy that used to work at GitLab got hired for Archivetopia, and he accidentally deletes a ton of entries from their database, which included Healcorp's records, and there is no way to recover any of it. Then, Healthcorp gets subpoena'd, so they call up Archivetopia only to find out they can't produce the records they need.
Who is liable in this case?
Healthcorp is still liable, you can subcontract a job, but uou can't subcontract the responsibillity.
What I mean is that Healthcorp should have procedures to test the backup, and as soon as it failed, they should inform the government.
It can also be asked, why Healthcorp only had one backup of the data, when it is best practice to have a 3-2-1 backup system, if Archivetopia offered a service as a 3-2-1 solution, why didn't Healthcorp select that? If they did why didn't they verify the claims of the service?
At the end, Healthcorp would get hit with a fine, but they in turn could sue Archivetopia for breach of contract.