A limitation of liability clause is usually two paragraphs buried on page 14 of the MSA — and it is the single clause most likely to decide whether a vendor's mistake costs you $80,000 or $5 million. Get the cap wrong, and every other protection in the contract — indemnification, SLA credits, security warranties — becomes theoretical, because none of it can pay out more than the number written into this one clause.
What a limitation of liability clause actually does
Strip out the legalese and a limitation of liability (LoL) clause does two things:
- Sets a dollar cap on total damages either party can recover, regardless of legal theory — contract, negligence, warranty and tort all funnel into the same ceiling.
- Excludes categories of damages entirely, typically "consequential, incidental, special, indirect and punitive damages, including lost profits" — this can zero out a claim even when the cap itself is never reached.
We cover this clause as one of the twelve that determine whether a contract works in our AI contract review guide. It deserves its own deep dive because it's the clause most often skimmed and most expensive to get wrong.
Mutual or one-sided: the first fight
Vendor paper almost always drafts the cap as one-sided: "In no event shall [Vendor]'s aggregate liability exceed the fees paid in the preceding 12 months." There's no matching sentence limiting the customer's exposure — payment obligations and indemnities the customer owes are typically excluded from any cap on the customer's side, or there's no customer cap at all.
A one-sided cap isn't automatically wrong, but it should be the start of the conversation, not the end. Push for a mutual cap as a baseline, then negotiate the carve-outs on both sides from there. If a vendor resists mutuality outright, that resistance is itself informative.
How the cap is usually set: multiples of fees
Most B2B SaaS and vendor contracts express the general cap as a multiple of fees rather than a flat number, because it scales with deal size automatically. Typical market ranges:
- 1x fees — the vendor's opening position on almost every self-serve or low-ACV tool. Fine for low-risk software; too thin for anything touching customer data.
- 2x fees — a reasonable mid-market landing point once a buyer with real leverage pushes back on 1x.
- 3x fees (or a separate "super cap") — common for vendors with elevated risk: PII access, a regulated process, or a single point of failure in your stack.
Two details buyers routinely miss. First, "fees paid in the preceding 12 months" quietly shrinks the cap in year one — three months into a multi-year deal, the cap is one quarter's fees, not the annual number you priced against. Ask for "total fees payable under the then-current term" instead. Second, the multiple only matters relative to the carve-outs below — a 3x cap with no data-breach exclusion is worth less than a 1x cap that properly excludes the claims that actually cost money. A negotiation playbook that fixes your organization's floor on this clause stops the multiple from being re-litigated from scratch every quarter.
The carve-outs that decide whether the cap means anything
The general cap almost never applies to everything. Well-drafted contracts explicitly carve four categories out of it — meaning liability for these is either uncapped or subject to a separate, higher "super cap":
- Data breach / security incident caused by the vendor's negligence.
- Confidentiality breach — unauthorized disclosure of the customer's data or trade secrets.
- IP infringement — the vendor's product infringing a third party's patent, copyright or trademark, usually paired with an indemnification obligation.
- Gross negligence and willful misconduct — un-excludable under the law in many jurisdictions anyway, but worth stating explicitly.
Watch for the version where a vendor lists these carve-outs but attaches only a token super cap — say, 2x instead of 1x — which reads like a concession but does almost nothing against a real incident.
Why an inadequate cap is actually dangerous
Run the numbers. A mid-market SaaS tool costs $80,000/year and its liability is capped at 1x fees with no data-breach carve-out. If that vendor mishandles customer PII, the exposure isn't the $80,000 cap — it's the real cost of the incident: forensics, breach notification, credit monitoring, regulatory fines and litigation. The IBM Cost of a Data Breach Report put the global average cost of a breach at $4.88 million in 2024. The gap between what you can recover ($80,000) and what you're actually out (millions) is your uninsured exposure, in full, with no recourse against the party whose negligence caused it.
The opposite failure mode is just as common: no limitation of liability clause at all. That isn't safety by omission — liability then defaults to whatever your jurisdiction's common law says about breach and negligence damages, which is unpredictable and expensive to litigate. Silence is not a strategy.
Negotiation leverage points, in priority order
Not every ask survives every negotiation. If you can only push on three things, push on these:
- Make the cap mutual. Costs the vendor nothing on paper and removes the biggest structural asymmetry.
- Carve out data breach, confidentiality, IP indemnity and gross negligence from the general cap — uncapped, or a super cap 2-3x higher.
- Base the cap on total fees payable under the term, not trailing-12-months paid, especially on ramping multi-year deals.
- Tie the cap to insurance. Require cyber liability coverage (commonly $2-10M depending on data sensitivity) and reference the policy limits in the contract.
- Fix the exclusion language. "No consequential or indirect damages" is standard. "No liability of any kind, however arising" is a blanket exclusion some vendors slip in — push back on the scope, not just the number.
None of this needs re-deriving every renewal cycle. Write it down once, as a standing playbook position, and every negotiation starts from your own default instead of the vendor's.
How AI red-flag detection catches this automatically
An uncapped or under-sized cap is one of the most pattern-matchable clauses in a contract: a dollar figure or multiple, checked against a fee base. That's exactly what an AI reviewer catches reliably and instantly. POCsheet's free contract analyzer flags uncapped liability by default alongside auto-renewal traps and vendor-only termination rights — extracted cap, fee basis, and whether the standard carve-outs are present, all with the source sentence attached.
Once a playbook is applied, the same clause is evaluated against your organization's floor — "meets," "deviates," or "unknown" — and if it deviates, the AI drafts counter-language you can drop straight into a redline instead of starting from a blank page. That's the difference between reading a clause and knowing, in seconds, whether it's a blocker.
A clause this consequential shouldn't be the one everyone skims to reach signature. Five minutes checking mutuality, the fee base and the carve-outs is the cheapest insurance you'll buy this quarter.