Blog
Liability Caps and Indemnities for Buyers
Liability caps and indemnities for buyers decide who carries the cost when a SaaS product fails, breaches data, or infringes a third party right. Vendor default contracts cap liability at a few months of fees and offer narrow indemnities, so the buyer who reads these clauses and pushes for a higher cap and broader protection is the one who is covered when something goes wrong.
Key takeaways
- Vendor default liability caps are typically 12 months of fees or less, which rarely covers the real cost of a serious breach or outage. Push the cap up.
- Carve data breach, confidentiality, and intellectual property indemnity out of the general cap, so the protections that matter most are not limited to a few months of fees.
- Make indemnities mutual where the risk is shared, and insist the vendor defends and covers third party intellectual property claims arising from its own product.
- These terms cost nothing at signing and everything in a crisis. Negotiate them as hard as price, because a low cap can erase any saving you won on the deal.
Why do liability caps and indemnities matter to buyers?
Liability caps and indemnities matter because they decide who pays when a SaaS product causes real harm, and the vendor default almost always puts that cost on the buyer. The limitation of liability clause sets a ceiling on what you can recover, and the indemnities decide which third party claims the vendor will defend. These clauses are quiet at signing and decisive in a crisis, because a low cap means that even a serious failure leaves you recovering a fraction of your loss.
Buyers focus on price and feature scope and let the legal terms pass on the vendor paper, which is exactly what the vendor intends. A deal that saved a strong percentage on fees is a poor deal if a breach exposes you to losses many times the cap. Treat these clauses as part of the commercial negotiation, not an afterthought for legal to rubber stamp, because the risk they govern can dwarf the saving you won on the number.
What is wrong with the vendor default liability cap?
The vendor default cap is wrong for the buyer because it is set to protect the vendor, typically at the fees paid in the prior 12 months and sometimes a smaller fraction. For a modest subscription, that ceiling can be a few tens of thousands of dollars against a data breach that costs the buyer far more in notification, remediation, regulatory exposure, and lost business. The cap is calibrated to the vendor's revenue, not to the harm the product could cause you.
The fix is to negotiate the cap up, and to do it with reference to the real risk rather than a round number. A super cap, a higher multiple of annual fees for defined high risk categories, is a common and reasonable structure. The vendor will resist, because the cap is one of its core protections, but a buyer who frames the ask around the specific exposure, such as the volume and sensitivity of the data involved, has a strong and defensible position.
Which liabilities should sit outside the general cap?
The liabilities that should sit outside the general cap are the ones where the potential loss is largest: data breach and security incidents, breaches of confidentiality, and intellectual property infringement. A cap that limits these to a few months of fees defeats the purpose of having protection at all, because these are precisely the events that generate losses far beyond the subscription value. Carving them out, with either an uncapped exposure or a much higher super cap, is where the negotiation earns its keep.
Map the carve outs to your actual risk so the ask is concrete and hard to refuse. The table shows the standard categories and the position a buyer should push for.
| Risk category | Buyer position |
|---|---|
| General liability | Capped, but at a higher multiple than default |
| Data breach and security | Carved out or set at a high super cap |
| Confidentiality breach | Carved out of the general cap |
| IP infringement | Vendor defends and indemnifies, uncapped |
How should indemnities be structured for the buyer?
Indemnities should be structured so the vendor stands behind its own product and its own obligations. At a minimum, the vendor should defend and indemnify you against third party claims that its product infringes intellectual property rights, because you cannot control or inspect what the vendor built, and a claim against you for using it is the vendor's risk to carry. The vendor should also indemnify you for losses arising from its breach of the security and confidentiality commitments in the agreement.
Where the risk is genuinely shared, make the indemnities mutual rather than accepting a one sided clause that protects only the vendor. A buyer may reasonably indemnify the vendor for misuse of the product or for content the buyer supplies, but the vendor should reciprocate for the risks within its control. The principle is simple: each party indemnifies the other for the harms it is best placed to prevent, and a contract that loads all the indemnity onto the buyer is one to push back on.
What are the risks of leaving these clauses on vendor paper?
The first risk is discovering the cap only after a breach, when you learn that your maximum recovery is a fraction of your loss and the saving you won on price is irrelevant. These clauses are invisible until the day they matter, and by then they cannot be renegotiated. A deal that looked strong on fees can become an expensive liability because nobody pushed on the limitation clause while there was leverage to do so.
The second risk is treating these as pure legal terms divorced from the commercial deal, so they get settled late and under time pressure by people without leverage. Raise the cap and the indemnities early, while the vendor still wants the booking and the whole deal is in play, and negotiate them with the same discipline as price. Start the renewal or purchase 6 or more months out so there is time to get the protection right before signing.
Get the liability cap and indemnities that actually protect you.
Our buyer side team negotiates the limitation and indemnity clauses alongside price, so a saving on fees is not erased by a low cap. Start with the SaaS Contract Terms Guide, see the AI exposure in the AI carve out clause every contract needs and the vendor specific terms in Salesforce contract terms that protect you, then get a quote.
Get a Quote →What is the move on liability caps and indemnities for buyers?
The move is to negotiate the cap up from the vendor default, carve data breach, confidentiality, and intellectual property risk out of the general cap or into a high super cap, and insist the vendor defends and indemnifies you for infringement and for its own breaches. Make the indemnities mutual where risk is shared, and raise all of it early while the whole deal is still in play.
Handled this way, the contract protects you in the crisis it was written to govern, and the price saving you won stays a real saving. If you want us to negotiate these clauses, get a quote and we will review the cap and the indemnities before you sign.
Published market figures reflect 2026 SaaS pricing analyses and are labelled indicative where appropriate.