[Legogris]

Do you have a source to back that up?

As far as I understand it, Microsoft has no responsibility for PIIs e-mails going through the Outlook e-mail client. Maybe the US is different, but at least in Europe, the GDPR is clear that software vendors have no responsibility in data being processed locally when it's deployed and run by others.

Oracle has no liability for the data stored in their database.

If you have no way of touching the data, your servers (self-managed or otherwise) aren't touching data in any form, you have no legal liabilities wrt data (apart from agreements of course).

Or am I missing something?