Companies Act, DPDP Act Cannot Fasten Liability On Third-Party Cloud Service Provider Under IBC: NCLT Bengaluru

Shilpa Soman

11 July 2026 2:27 PM IST

  • Companies Act, DPDP Act Cannot Fasten Liability On Third-Party Cloud Service Provider Under IBC: NCLT Bengaluru

    The National Company Law Tribunal (NCLT) at Bengaluru has ruled that the Companies Act, 2013 and the Digital Personal Data Protection Act, 2023 cannot be relied upon to fasten liability on a third-party cloud service provider where there is no direct legal or contractual nexus with the corporate debtor.

    A bench of Judicial Member Sunil Kumar Aggarwal and Technical Member Radhakrishna Sreepada held that Amazon Web Services India Pvt. Ltd. (AWS India) and its officials could not be directed to cooperate under the Insolvency and Bankruptcy Code because they were neither personnel of Shapos Services Private Limited nor associated with the company's management.

    "This Adjudicating Authority also finds that the reliance placed by the Applicant on the provisions of the Companies Act, 2013 and the Digital Personal Data Protection Act, 2023 is misplaced in the facts of the present case, as the obligations under the said enactments cannot be extended to fasten liability upon a third-party service provider in the absence of a direct legal or contractual nexus.", the tribunal ruled.

    Shapos Services was admitted into the Corporate Insolvency Resolution Process (CIRP) on September 17, 2024. The Interim Resolution Professional then sought access to all kinds of data, including details to the AWS account. While other necessary documents were provided in digital format, access to the cloud account couldn't be provided. This was because the account had become inaccessible due to pending dues.

    Unable to retrieve the data, the Interim Resolution Professional approached Searce Cosourcing Service Private Limited, through which Shapos Services had availed AWS services. AWS India was also approached for access to the cloud data.

    AWS India responded that it had no direct contractual relationship with Shapos Services because the services had been provided through a distributor-reseller model. It also stated that the AWS account had been closed on December 25, 2023.

    Under the applicable service terms, the associated data was permanently deleted after the 90-day retention period. That had happened several months before the CIRP began.

    The Resolution Professional then moved the tribunal seeking directions against the suspended directors, Searce and AWS India to cooperate and provide access to the corporate debtor's cloud data.

    The tribunal was called upon to decide whether AWS India and its officials could be directed under Section 19 of the Insolvency and Bankruptcy Code to provide access to the company's cloud data.

    It ruled that Section 19 applies only to the personnel of a corporate debtor and persons associated with its management. AWS India and its officials did not fall within either category. No directions could therefore be issued against them under that provision.

    The tribunal also found that the data sought by the Resolution Professional was no longer available with AWS India because it had already been deleted before the commencement of the CIRP.

    "Further, it is a settled principle that no direction can be issued to a party to produce material which is not in its possession or control. The record clearly indicates that the data sought by the Resolution Professional is no longer available with Respondent Nos. 5 to 7, having been deleted prior to the commencement of CIRP.", it ruled.

    The Resolution Professional had argued that the Companies Act and the Digital Personal Data Protection Act required AWS India to preserve or provide access to the data. The tribunal rejected that contention.

    It held that, in the facts of the case, the obligations under those enactments could not be extended to fasten liability on a third-party service provider in the absence of a direct legal or contractual nexus.

    The application was partly allowed. The tribunal directed the suspended directors to provide all information, documents, records, credentials and access available with them relating to the affairs of Shapos Services.

    It also directed Searce Cosourcing Service Private Limited and its authorised representative to provide any data, records or information available with or accessible to them in relation to the company. The reliefs sought against AWS India and its officials were rejected.

    For RP: Chithra Nirmala and Amritha Jain

    For Respondents: Aneeta Mathew

    Case Title :  M/s Shapos Services Private Limited v. Sri. Mayank Tiwari and OrsCase Number :  IA No. 184 of 2025 in CP(IB) No. 78/BB/2024CITATION :  2026 LLBiz NCLT (BEN) 708
    Next Story