Regarding cloud service provider agreements and contracts, unless otherwise stated, the provider is
responsible only to the cloud customer. This means that the provider has a contractual obligation to
deliver the agreed-upon services and meet the service level agreements (SLAs) with the cloud
customer, who is the direct payer of the services. The provider is not responsible for any other
parties, such as the cloud customer’s clients, end users, or regulators, unless explicitly specified in
the contract. The cloud customer is responsible for ensuring that the provider’s services meet their
own compliance and security requirements, as well as those of their stakeholders12.
Reference:
Shared responsibility in the cloud - Microsoft Azure
Cloud security shared responsibility model - NCSC
