Indemnification is the clause everyone nods along to on the kickoff call and then argues about for weeks in redlines. It sits next to the limitation of liability section, uses some of the same vocabulary, and gets confused with it constantly — even by people who negotiate contracts for a living. That confusion costs money. Here is what indemnification actually covers, how mutual and one-way structures differ, and what fair IP indemnification looks like in a SaaS agreement.
Indemnification vs. limitation of liability
Both clauses show up near the end of a Master Services Agreement, both use words like "liable" and "damages," and both get negotiated in the same redline pass. They do different jobs. Indemnification is a promise to cover a specific category of loss triggered by a third-party claim — if a customer's use of a vendor's software gets the customer sued for patent infringement, indemnification decides who pays for the defense and any resulting judgment or settlement. Limitation of liability is a ceiling on total damages the vendor will pay for anything, typically capped at 12 months of fees and excluding indirect and consequential damages.
The two interact in a way that decides who actually gets made whole. A vendor can offer generous indemnification language and then quietly claw it back by making the liability cap apply to indemnification obligations too — "we'll defend and cover you" becomes "we'll defend and cover you, up to the amount you paid us last year." On an $80,000 annual contract, a third-party IP claim generating $600,000 in defense costs and settlement leaves the customer exposed for $520,000 if the cap swallows the indemnity. The fix: carve indemnification — especially IP infringement, confidentiality breach, and gross negligence — out of the liability cap entirely, or negotiate a separate super-cap (commonly 2x-3x annual fees) that sits above the general one.
What indemnification actually covers
A standard vendor contract bundles several obligations under one heading, but they cover materially different risks:
- IP infringement — the vendor defends the customer against claims that its product infringes a patent, copyright, trademark, or trade secret, and covers the resulting damages. This is the one customers care about most, since they typically have zero visibility into whether the vendor's code, model, or dataset actually infringes anything.
- Breach of confidentiality / data protection — claims arising from the vendor's failure to protect confidential information or personal data as contractually required, often tied to the DPA and breach-notification SLA.
- Gross negligence / willful misconduct — a narrower obligation that survives even aggressive liability caps.
- Customer indemnification of the vendor — the mirror obligation: the customer indemnifies the vendor for misuse, acceptable-use violations, or the customer's own content infringing someone else's rights. Standard and reasonable — the imbalance shows up in scope, not in its existence.
Mutual vs. one-way indemnification
This is where most of the actual negotiation leverage lives. In a one-way structure, only the customer indemnifies the vendor — for misuse, for its own data, for acceptable-use violations — while the vendor's IP indemnification is narrow, capped low, or riddled with exceptions ("except where infringement results from combining the product with other software," "except for open-source components," "except where customer modified the product"). Read literally, that puts most third-party litigation risk on the customer for a product it didn't build and can't inspect.
In a mutual structure, each party indemnifies the other for claims arising from what it actually controls: the vendor covers IP infringement in its own product and its own confidentiality/security failures; the customer covers misuse and claims arising from its own data. Mutual doesn't mean identical obligations — it means each party owns its own risk, which is the point of the clause.
Vendor draft: "Customer shall indemnify, defend, and hold harmless Vendor from any claim arising out of Customer's use of the Services" — no reciprocal obligation anywhere. Customer counter: "Each party shall indemnify the other from any third-party claim arising out of (a) the indemnifying party's breach of this Agreement, (b) its gross negligence or willful misconduct, and (c), as to Vendor only, any claim that the Services infringe a third party's intellectual property rights." Clause (c) is the standard way to keep IP risk vendor-side — the customer isn't writing the code — while making everything else mutual.
IP indemnification for SaaS vendors specifically
SaaS and AI-enabled products add wrinkles that on-prem contracts didn't have to deal with:
- Training-data and model IP. If the product includes an AI/ML component, ask whether indemnification extends to claims that training data or model outputs infringe third-party rights, not just the application code. Many vendor templates predate this issue and simply don't cover it.
- Open-source carve-outs. Reasonable in principle, but should be scoped to components the vendor didn't materially modify — an unbounded "any open-source component" exclusion can swallow a meaningful share of the product.
- Cure obligations. A well-drafted clause doesn't stop at damages. It commits the vendor to, at its option: procure the right to keep using the infringing component, replace it with a non-infringing equivalent, or refund fees for the affected period. Without this, an injunction leaves the customer with an unusable product and a check that doesn't fix the operational gap.
- Notice and consent. The vendor typically controls the defense (reasonable, since it's paying) but should be required to give prompt notice and get consent before any settlement that admits fault or binds the customer.
Negotiation checklist
- Is IP indemnification a binding obligation, or just "commercially reasonable efforts" language?
- Is indemnification mutual for misuse/breach/gross-negligence, with IP indemnification vendor-side?
- Is indemnification carved out of the general liability cap, or subject to a higher super-cap?
- Does IP indemnification include a cure obligation, not just a damages payment?
- Are open-source carve-outs scoped narrowly, not blanket exclusions?
- For AI-enabled products, does coverage extend to model outputs and training-data provenance?
- Does the customer retain notice and consent rights over settlements?
Running this by hand across a five-vendor RFP means reading indemnification and liability language in five different drafting styles and holding the differences in your head. POCsheet's Red Flag Detection flags one-way indemnification and under-scoped IP carve-outs automatically, and the Negotiation Playbook generates counter-language — mutual obligations, cure remedies, carve-outs from the liability cap — as a starting redline instead of a blank page. If you're comparing MSA drafts across vendors, our guide to AI-assisted MSA redlines covers turning these findings into an actual counter-proposal, and the broader 12 clauses to check before signing post places indemnification in context alongside the liability cap.
Two forces are pushing this clause into sharper focus in 2026: AI-assisted products have made the provenance of what you're buying murkier, and regulatory pressure under frameworks like DORA and NIS2 is pushing legal teams to document vendor risk more rigorously across the board — see our DORA/NIS2 procurement checklist for how that plays out contractually. Neither trend makes indemnification optional to negotiate; both make it more expensive to get wrong. For a general primer on how U.S. contract law treats the duty to defend versus the duty to indemnify, the American Bar Association's overview is a solid outside reference for internal legal review.