What Your Vendor Contracts Actually Promise When Things Go Wrong

A common pattern: an e-commerce retailer suffers a 6-hour outage of a critical SaaS platform, loses roughly $2.1 million in transaction revenue and remediation costs, files an SLA claim with the vendor, and receives $3,200 in service credits. The credits amount to about 0.15% of the actual loss. The retailer absorbs the other 99.85%.

This is not an unusual story. It is the normal way SLAs work, and the normal way business leaders discover it is during a crisis when they can least afford to learn an expensive lesson. The gap between what vendor contracts promise and what actual outages cost is one of the most under-examined risks in modern business operations, and it sits squarely in the domain of business unit leaders — the people who sign the vendor contracts, commit to the customer SLAs, and own the customer relationships that suffer when things break.

This post teaches a framework for reading vendor contracts, customer SLAs, and cyber insurance policies with continuity in mind. It's the final post in a five-part series for business leaders and is intentionally practical: by the end, you'll know exactly what questions to ask before signing any vendor contract, how to evaluate your customer-side exposure, and how to contribute to your organization's cyber insurance posture.

The dark matter of downtime economics

In an earlier post in this series on downtime economics, we introduced the Downtime Impact Equation: the total cost of a system outage is composed of lost revenue, lost productivity, recovery costs, reputational damage, and regulatory or contractual penalties. That last component — regulatory and contractual penalties — is the dark matter of the equation. It's often the largest single component, yet most business leaders don't know its size until after an incident forces them to find out.

Contractual exposure comes from three sources simultaneously, and each source sits in a different corner of the organization. Understanding how they interact is the core of continuity literacy.

The Three-Way Gap

Every organization operates inside a triangle of contracts. The three corners are:

The vendor corner. Your organization depends on vendors — SaaS tools, cloud providers, payment processors, AI services. Each of these vendors has an SLA that promises a certain level of service and defines what happens if they fail to meet it. Those SLAs typically promise service credits, not damages. If a vendor goes down and causes you $1 million in losses, the vendor's liability is usually limited to a small percentage of the fees you paid them during the affected period. This is structural and non-negotiable in most vendor contracts.

The customer corner. Your organization sells services to customers, and those customers increasingly demand contractual uptime commitments. Enterprise customers routinely require 99.9% uptime with financial penalties for breach, sometimes with escalating penalties for repeated or extended outages, sometimes with termination rights. Your commitments to customers are often much stricter than what your vendors are committing to you.

The insurance corner. Your organization carries some combination of cyber insurance, errors-and-omissions coverage, and business interruption insurance. Each of these has specific triggers and exclusions that determine whether a particular incident is covered. Most organizations assume their cyber insurance covers more than it actually does, and most cyber insurance policies exclude at least some of the scenarios business leaders think they're protected against.

The three corners together form the Three-Way Gap: the space between what your vendors promise you, what you promise your customers, and what your insurance will cover when both promises are broken. Every organization has a Three-Way Gap. Most have never measured it. The gap is where uncompensated, uninsured risk lives.

Decoding vendor SLAs

Most vendor SLAs share a common structure: an uptime commitment, a measurement methodology, a list of exclusions, and a remedy. Each of these components tends to favor the vendor, not the customer, in ways that aren't obvious until you read carefully.

The uptime commitment is the headline number: 99.9% or 99.99% or sometimes just 99%. The math matters here. 99.9% uptime means 8.77 hours of allowable annual downtime. 99% means 87.6 hours — over ten times more. That difference, roughly 79 hours per year, is often the difference between tolerable and catastrophic for business operations. Check the exact number, not the marketing language. Vendors sometimes advertise "high availability" without committing to specific percentages in the contract.

The measurement methodology determines what counts as downtime. Watch for the following. Does the SLA measure uptime per calendar month or over a rolling window? Does it count degraded performance (the service is technically "up" but too slow to use) as downtime, or only full outages? Does it measure uptime from the vendor's internal monitoring or from customer-visible endpoints? The answers to these questions determine whether outages you experience will count toward the SLA at all. Many customers discover after a bad month that the outages they experienced don't meet the contractual definition of downtime because of the measurement methodology.

The exclusions are typically where most of the real risk hides. Common exclusions include: scheduled maintenance windows (planned downtime isn't counted, even if it affects your operations), force majeure events (natural disasters, wars, government actions — increasingly relevant in the GCC), customer-caused issues (if the vendor can argue that your actions contributed to the outage, the SLA doesn't apply), and third-party failures (if the vendor's own upstream provider goes down, the vendor often disclaims responsibility).

The remedy structure is usually service credits: a percentage of your monthly fees refunded as a credit against future billing. Credits are designed to preserve the vendor relationship, not to compensate for losses. The math is stark. A vendor charging you $10,000 per month who gives you 10% credit for an outage refunds you $1,000. If the outage cost you $500,000 in business impact, you have recovered 0.2% of your loss. This is the normal ratio. It is not a mistake or a bad-faith negotiation — it is how SLAs are structured by default.

The key insight: SLAs protect the vendor, not the customer. They define the minimum standard the vendor commits to, not the maximum protection the customer receives. A business leader who thinks of an SLA as insurance is making a category error.

Customer-side commitments

If vendor SLAs protect vendors, customer SLAs protect your customers. And this is the side of the triangle where business leaders have the most leverage, because customer SLAs are usually written by someone in your organization — often you or your team.

The risk on this side is that the promises you're making to customers don't match the protections you're receiving from your vendors. If you commit to 99.9% uptime with your top 20 enterprise accounts, and the vendor you rely on for the service that supports those accounts only commits to 99.5% uptime, you are taking on the difference — roughly 35 hours of allowable vendor downtime per year that you have promised away to customers. Those 35 hours are your liability, not the vendor's.

The honest question to ask: for each customer commitment your team has made, can your current technical infrastructure and vendor relationships actually deliver? If the commitments were made by sales without input from operations, the answer is often no. And the most common moment to discover this is when a customer files a claim after an outage and your legal team has to figure out whether you're liable.

Enterprise customers are increasingly sophisticated about this. They send detailed third-party risk questionnaires as part of procurement, asking for evidence of tested DR plans, board-approved business continuity programs, and specific RTO/RPO targets for the services your organization delivers. These questionnaires are not compliance theater. The answers are reviewed by the customer's own risk and compliance teams, who make procurement decisions based on what you disclose.

A 2025 study found that roughly 46% of organizations had experienced a data breach or significant service disruption traced to a vendor — which is why customers are asking these questions. Organizations that can answer them substantively (with evidence, not assertions) win more enterprise deals than those that can't.

Cyber insurance and the BCDR connection

The third corner of the triangle is insurance, and specifically cyber insurance, which has become mandatory or near-mandatory in much of the GCC financial sector. SAMA in Saudi Arabia mandated cyber insurance for all financial institutions in March 2025, with minimum coverage set at SAR 100 million. QCB in Qatar introduced similar requirements in April 2025. Across the region, cyber insurance is no longer a nice-to-have.

What's less widely understood is how cyber insurance actually works. Two realities surprise most business leaders.

First, a substantial share of cyber insurance claims are denied. Industry data consistently shows that 30-40% of cyber insurance applications are rejected on first submission, and a significant fraction of claims are denied or reduced because the policyholder couldn't demonstrate required security controls at the time of the incident. The most common reasons for denial: missing multi-factor authentication, inadequate backup and disaster recovery, and poor vendor management practices. A policy that would have paid out if MFA had been deployed will not pay out if MFA was missing, regardless of whether MFA had anything to do with the incident.

Second, premiums are materially lower for organizations that can demonstrate BCDR maturity. Underwriters ask specific questions about business continuity: Is there a documented BCP? Is it tested? How often? Are the results reviewed by leadership? Can you produce evidence? Organizations that answer yes to all of these typically pay 15-30% lower premiums than organizations that can't, for the same coverage level. The financial value of mature BCDR practices is not hypothetical — it appears on your insurance invoice.

Business unit leaders contribute to this picture in two ways. First, the tested and documented MVB plan for your function (from the Minimum Viable Business framework) is exactly the kind of evidence underwriters ask for. Second, your participation in tabletop exercises (from the testing framework) is documentable proof of board-level engagement with continuity risk. Both contribute directly to lower premiums and broader coverage.

One GCC-specific caveat: most cyber insurance and standard business interruption policies exclude acts of war and state-level conflict. Cloud providers have invoked force majeure during regional disruptions, limiting their own SLA liability exactly when customers needed protection most. Organizations operating in the GCC need to understand whether their insurance covers scenarios unique to the region — kinetic attacks on infrastructure, regional conflict, cross-border data restrictions during emergencies — and negotiate explicitly if they don't. The standard policy is not written for the GCC context.

What to look for before signing any vendor contract

The best time to close the Three-Way Gap is before signing. Once you're in a vendor relationship, your leverage drops significantly. Before signing any contract with a vendor your team will depend on, get clear answers to these questions.

What is the exact uptime commitment, measured how? Get the number, the measurement window, and the methodology in writing. Verify it matches what your customer commitments require.

What are the exclusions? Read them carefully. Ask the vendor to walk through specific scenarios: what happens if the vendor's own cloud provider goes down? What happens during scheduled maintenance that exceeds its window? What happens during force majeure?

What is the remedy, and does it have a cap? Most vendor liability caps are measured in months of fees, not in business impact. Understand what the cap is and whether you can negotiate it.

What is the incident notification timeline? How quickly must the vendor tell you about an outage? Many vendors have obligations to notify within hours, but others have no contractual timeline at all. For SAMA-regulated entities, your own notification obligations (6 hours for significant incidents) require vendor notifications that are faster still.

What are the data export procedures at contract termination? How many days do you have to export your data? In what format? Is there a charge? Vendors sometimes impose extraction fees that make data migration prohibitively expensive, which is a soft lock-in that matters during continuity planning.

Does the vendor carry its own insurance, and can they share the certificate? If a vendor's failure causes you significant damage, your ability to recover depends partly on whether the vendor is insured. A vendor with adequate liability insurance is meaningfully lower-risk than one without.

What are the subprocessor disclosure and consent requirements? Many SaaS tools depend on other SaaS tools. If your vendor is using subprocessors, you have a fourth-party risk you may not know about. Good contracts require the vendor to disclose subprocessors and obtain consent before changing them.

What is the change-of-control clause? If the vendor is acquired or sold, what happens to your data, your service, and your pricing? Many organizations lose critical services during vendor acquisitions because no one thought to negotiate this clause.

Third-party risk questionnaires — the two-way street

Risk questionnaires flow in both directions. Your team receives them from customers doing due diligence on you, and your team sends them to vendors doing due diligence on them. In both directions, continuity literacy matters.

When you receive a questionnaire from a customer, it's typically handed to IT or security to fill out. This is a mistake. IT can answer the technical questions but can't answer the business continuity questions substantively without your input. The questions that ask about RTOs, RPOs, documented BCPs, test frequency, and board governance all need business leader input. If the answers are filled out by someone who doesn't know what your function does, the answers will be either too conservative (losing deals) or too optimistic (creating exposure). Neither is acceptable.

When you send a questionnaire to a vendor, the same rule applies in reverse. Don't just accept the vendor's answers as written. Ask follow-up questions about anything that looks vague, and ask for evidence — recent test reports, sample incident response documentation, proof of insurance. Serious vendors will provide this. Vendors that can't or won't should raise concerns.

Five actions to take this quarter

Closing the Three-Way Gap is ongoing work, but there are five specific actions a business unit leader can take this quarter that will meaningfully improve your position.

1. Review your top three vendor contracts. Pull the SLA terms, the data export provisions, and the incident notification timelines for the three vendors your team depends on most. If any of them are unacceptable, initiate a conversation with the vendor about renegotiation. Many vendors will improve terms for existing customers who ask, but almost none will do so without being asked.

2. Ask legal or procurement about your customer-side commitments. Specifically, ask whether any of your customer contracts include continuity commitments (uptime guarantees, breach notification timelines, evidence of DR testing) that your organization may not currently be able to meet. The answer is often yes. This is information you need to have.

3. Contribute to the next vendor risk questionnaire response. When the next enterprise customer sends a risk questionnaire, ask to review the draft response before it's sent. Focus on the business continuity section. Make sure the answers are accurate and that the evidence being cited matches what your function actually does.

4. Ask your CFO or risk manager about cyber insurance. Specifically: what does it cover, what does it exclude, what does the underwriter require, and how does your function's BCDR maturity affect the premium? This is a 30-minute conversation that frequently reveals both risks you didn't know about and opportunities to reduce costs.

5. Create a Continuity Card for your function. A Continuity Card is a one-page summary listing your function's critical vendors, their SLA terms, your customer commitments, the gap between them, and the specific mitigations you have in place. Update it quarterly. Share it with your IT team and your legal team. This card becomes the authoritative source for answering questions about your function's continuity posture, and it makes every subsequent conversation — with IT, with customers, with insurers, with auditors — faster and more productive.

The bigger picture

Continuity literacy is not a legal specialty. It is a business competence. Business leaders who can read vendor SLAs, understand their customer commitments, and contribute to their organization's insurance posture make fundamentally better decisions than those who delegate these topics to specialists. The specialists know the fine print. The business leaders know the business context. Real continuity planning requires both.

The Three-Way Gap is not closable in any absolute sense. There will always be a gap between what vendors promise, what you commit to customers, and what insurance will cover. The goal is not to eliminate the gap — the goal is to see it clearly, measure it, and make informed decisions about which parts of it you can tolerate and which parts you need to actively manage.

This is the fifth post in a five-part series for business leaders on modern business continuity. If you found this useful, the other posts in the series cover downtime economics and the business leader's role in setting RTOs and RPOs, the Minimum Viable Business framework, mapping SaaS and AI dependencies, and the difference between having a plan and being prepared.

If you want help reviewing your vendor contracts, customer SLA commitments, or BCDR insurance posture, Dataring's BCDR consulting practice works with business leaders across the GCC to close the Three-Way Gap. Get in touch to schedule a working session.