Yea, but my example wasn't access that auditors have, it's you, as a client.
Now on topic... You could argue that Nord perhaps was a bigger client than you or I am to AWS, and maybe they should have had better access, but the fact of the matter here is that it's absolutely possible that Nord is being accurate when they say "[we] could not have known".
Contract violation or not, you should never have full 100% confidence in someone else's system. If I was Nord and renting cloud I would absolutely assume there were undisclosed accesses, as I bet they are viewing everything now.
As a client I can ask for policies, records, 4th party audit reports, etc and choose your vendor based on their ability to answer and the quality of answers.
It's not about contract violations if something like that happens you don't know about, it would have to be willful deception and incompetence of several organizations.
"we could not have known" is an answer you get when what you really mean is "we didn't think to look". If something like this happened and you had done the right things the message would be "vendor X violated their policy, our contracts, and auditors A, B, and C failed due diligence requirements here and here"
"We could not have known" as a response means no one should trust NordVPN because clearly they think they're helpless which means they aren't clever enough to trust my data with.
> you should never have full 100% confidence in someone else's system
Now on topic... You could argue that Nord perhaps was a bigger client than you or I am to AWS, and maybe they should have had better access, but the fact of the matter here is that it's absolutely possible that Nord is being accurate when they say "[we] could not have known".
Contract violation or not, you should never have full 100% confidence in someone else's system. If I was Nord and renting cloud I would absolutely assume there were undisclosed accesses, as I bet they are viewing everything now.