ARTICLE
31 May 2026

APIs: The Invisible Layer In Technology Contracts

E
ENS

Contributor

ENS logo
ENS is an independent law firm with over 200 years of experience. The firm has over 600 practitioners in 14 offices on the continent, in Ghana, Mauritius, Namibia, Rwanda, South Africa, Tanzania and Uganda.
Explore Firm Details
Modern software solutions rarely operate independently. Behind a single banking platform, SaaS product or mobile application sits a network of third-party integrations, cloud providers and external...
South Africa Technology
Isaivan Naidoo and Aobakwe Motebe
Your Author LinkedIn Connections
Isaivan Naidoo’s articles from ENS are most popular:
  • with readers working within the Healthcare industries
ENS are most popular:
  • within Technology, Accounting and Audit and Insurance topic(s)
  • with Senior Company Executives and HR

Modern systems are no longer self-contained

Modern software solutions rarely operate independently. Behind a single banking platform, SaaS product or mobile application sits a network of third-party integrations, cloud providers and external services connected through Application Programming Interfaces ("API"s).

For service providers, this model makes commercial and technical sense. APIs enable businesses to scale up quickly, integrate specialised functionality and reduce development time without building every component internally. However, under traditional contracting the legal issue is that many technology contracts still assume the service provider operates within a self-contained environment, when in reality the solution may depend on multiple unseen providers sitting behind the service provider.

The rise of invisible dependencies

A customer may contract with one service provider, while critical functionality relies on:

  • payment gateways;
  • identity verification services;
  • cloud hosting providers;
  • messaging and authentication tools; or
  • AI and analytics integrations.

This effectively creates an invisible dependency chain. The problem is not that these dependencies exist, modern systems are designed this way. However, the main issue is that contracts often fail to properly address the operational and legal risks that accompany such dependencies.

The accountability gap

Where an underlying API provider experiences downtime, security failures or service degradation, the customer typically suffers the commercial and service consequences first, which can result in operational disruptions and can effectively result in the customer suffering loss. service providers increasingly include broad exclusions for "third-party services" or "external integrations", despite selecting and integrating those dependencies into the solution themselves. This creates a growing disconnect between control and accountability.

The overlooked risk of unilateral API changes

API-related risks are not limited to outages or security incidents; third-party providers may unilaterally:

  • change API endpoints;
  • deprecate features;
  • amend technical requirements;
  • introduce usage limits; or
  • modify pricing and access models.

Even minor changes to API architecture can impact integrations, service continuity and customer-facing functionality. Where these dependencies sit deep within a service provider’s technology stack, customers may have little visibility into how these changes are managed or whether adequate contingency measures exist.

Inadequate liability caps

Many technology agreements cap liability at relatively low amounts linked to fees paid under the agreement, while simultaneously excluding liability for indirect or consequential damages. This becomes problematic where API failures cause broader operational losses, regulatory exposure or business interruption far exceeding the contractual cap itself. In practice, customers may carry significant operational risk while retaining limited contractual recourse against the service provider, particularly where the service provider seeks to classify API failures as third-party events outside its control.

Data protection

The issue becomes even more significant where APIs process personal or financial information. Data may flow across multiple providers, creating additional considerations around information security, operator agreements, cross-border processing and compliance obligations under the Protection of Personal Information Act, 2013.

Many organisations still approach APIs as purely technical integrations when they increasingly form part of the organisation’s legal, compliance and operational risk landscape.

Rethinking technology contracts

As reliance on APIs, cloud infrastructure and AI-enabled services continues to grow, organisations should place greater focus on:

  • visibility of critical dependencies;
  • liability allocation for third-party failures (under the service provider’s control);
  • obligations to manage changes to integrations; and
  • operational resilience commitments.

Modern systems are increasingly interconnected ecosystems rather than standalone products. Contracts should reflect that reality.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Isaivan Naidoo
Isaivan Naidoo
Photo of Aobakwe Motebe
Aobakwe Motebe
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More