1. Home
  2. /
  3. Blog
  4. /
  5. Contracts
Contracts 6 min read

Limitation of Liability Clauses in Vendor Contracts: A Negotiation Guide

What limitation of liability clauses do, why uncapped liability is dangerous, and how to negotiate a fair cap in vendor agreements.

Two business professionals in a corporate office reviewing and negotiating a vendor contract document together, representing limitation of liability clause negotiation in B2B procurement
Cover by POCsheet

A limitation of liability clause is usually two paragraphs buried on page 14 of the MSA — and it is the single clause most likely to decide whether a vendor's mistake costs you $80,000 or $5 million. Get the cap wrong, and every other protection in the contract — indemnification, SLA credits, security warranties — becomes theoretical, because none of it can pay out more than the number written into this one clause.

What a limitation of liability clause actually does

Strip out the legalese and a limitation of liability (LoL) clause does two things:

  • Sets a dollar cap on total damages either party can recover, regardless of legal theory — contract, negligence, warranty and tort all funnel into the same ceiling.
  • Excludes categories of damages entirely, typically "consequential, incidental, special, indirect and punitive damages, including lost profits" — this can zero out a claim even when the cap itself is never reached.

We cover this clause as one of the twelve that determine whether a contract works in our AI contract review guide. It deserves its own deep dive because it's the clause most often skimmed and most expensive to get wrong.

Mutual or one-sided: the first fight

Vendor paper almost always drafts the cap as one-sided: "In no event shall [Vendor]'s aggregate liability exceed the fees paid in the preceding 12 months." There's no matching sentence limiting the customer's exposure — payment obligations and indemnities the customer owes are typically excluded from any cap on the customer's side, or there's no customer cap at all.

A one-sided cap isn't automatically wrong, but it should be the start of the conversation, not the end. Push for a mutual cap as a baseline, then negotiate the carve-outs on both sides from there. If a vendor resists mutuality outright, that resistance is itself informative.

How the cap is usually set: multiples of fees

Most B2B SaaS and vendor contracts express the general cap as a multiple of fees rather than a flat number, because it scales with deal size automatically. Typical market ranges:

  • 1x fees — the vendor's opening position on almost every self-serve or low-ACV tool. Fine for low-risk software; too thin for anything touching customer data.
  • 2x fees — a reasonable mid-market landing point once a buyer with real leverage pushes back on 1x.
  • 3x fees (or a separate "super cap") — common for vendors with elevated risk: PII access, a regulated process, or a single point of failure in your stack.

Two details buyers routinely miss. First, "fees paid in the preceding 12 months" quietly shrinks the cap in year one — three months into a multi-year deal, the cap is one quarter's fees, not the annual number you priced against. Ask for "total fees payable under the then-current term" instead. Second, the multiple only matters relative to the carve-outs below — a 3x cap with no data-breach exclusion is worth less than a 1x cap that properly excludes the claims that actually cost money. A negotiation playbook that fixes your organization's floor on this clause stops the multiple from being re-litigated from scratch every quarter.

The carve-outs that decide whether the cap means anything

The general cap almost never applies to everything. Well-drafted contracts explicitly carve four categories out of it — meaning liability for these is either uncapped or subject to a separate, higher "super cap":

  1. Data breach / security incident caused by the vendor's negligence.
  2. Confidentiality breach — unauthorized disclosure of the customer's data or trade secrets.
  3. IP infringement — the vendor's product infringing a third party's patent, copyright or trademark, usually paired with an indemnification obligation.
  4. Gross negligence and willful misconduct — un-excludable under the law in many jurisdictions anyway, but worth stating explicitly.

Watch for the version where a vendor lists these carve-outs but attaches only a token super cap — say, 2x instead of 1x — which reads like a concession but does almost nothing against a real incident.

Why an inadequate cap is actually dangerous

Run the numbers. A mid-market SaaS tool costs $80,000/year and its liability is capped at 1x fees with no data-breach carve-out. If that vendor mishandles customer PII, the exposure isn't the $80,000 cap — it's the real cost of the incident: forensics, breach notification, credit monitoring, regulatory fines and litigation. The IBM Cost of a Data Breach Report put the global average cost of a breach at $4.88 million in 2024. The gap between what you can recover ($80,000) and what you're actually out (millions) is your uninsured exposure, in full, with no recourse against the party whose negligence caused it.

The opposite failure mode is just as common: no limitation of liability clause at all. That isn't safety by omission — liability then defaults to whatever your jurisdiction's common law says about breach and negligence damages, which is unpredictable and expensive to litigate. Silence is not a strategy.

Negotiation leverage points, in priority order

Not every ask survives every negotiation. If you can only push on three things, push on these:

  1. Make the cap mutual. Costs the vendor nothing on paper and removes the biggest structural asymmetry.
  2. Carve out data breach, confidentiality, IP indemnity and gross negligence from the general cap — uncapped, or a super cap 2-3x higher.
  3. Base the cap on total fees payable under the term, not trailing-12-months paid, especially on ramping multi-year deals.
  4. Tie the cap to insurance. Require cyber liability coverage (commonly $2-10M depending on data sensitivity) and reference the policy limits in the contract.
  5. Fix the exclusion language. "No consequential or indirect damages" is standard. "No liability of any kind, however arising" is a blanket exclusion some vendors slip in — push back on the scope, not just the number.

None of this needs re-deriving every renewal cycle. Write it down once, as a standing playbook position, and every negotiation starts from your own default instead of the vendor's.

How AI red-flag detection catches this automatically

An uncapped or under-sized cap is one of the most pattern-matchable clauses in a contract: a dollar figure or multiple, checked against a fee base. That's exactly what an AI reviewer catches reliably and instantly. POCsheet's free contract analyzer flags uncapped liability by default alongside auto-renewal traps and vendor-only termination rights — extracted cap, fee basis, and whether the standard carve-outs are present, all with the source sentence attached.

Once a playbook is applied, the same clause is evaluated against your organization's floor — "meets," "deviates," or "unknown" — and if it deviates, the AI drafts counter-language you can drop straight into a redline instead of starting from a blank page. That's the difference between reading a clause and knowing, in seconds, whether it's a blocker.

A clause this consequential shouldn't be the one everyone skims to reach signature. Five minutes checking mutuality, the fee base and the carve-outs is the cheapest insurance you'll buy this quarter.

Related reading

Run an AI vendor comparison in 60 seconds

Compare vendor proposals, RFPs and contracts with AI. Free plan: 4 comparisons / month.

Start free

Related articles