Quick reference · Commercial
Contract Risk Review: The Key Terms, Triaged
Most commercial contracts are mostly boilerplate, and the real risk lives in a handful of clauses. This is a triage order — the terms that move the most exposure, read first, with what to look for and a typical fallback ask for each. It does not replace reading the whole document; it tells you where to spend your attention when time is short.
How to use this
Work top to bottom. The clauses are ordered by how much risk they typically move, not by where they appear in the document. The first three — indemnification, limitation of liability, and termination — deserve the most careful read on any deal; the rest scale with the transaction. For each, the question is the same: what does this clause do when the relationship goes badly, and is the allocation one-sided?
Two structural points before the walkthrough. First, who drafted it matters — on the counterparty’s paper, assume every ambiguity was resolved in their favor and read accordingly. Second, danger hides in the familiar — a standard-looking heading can sit over a thoroughly one-sided clause, so read what each term actually does, not what it is called.
The triage order
Indemnification — scope, direction, and defense.
Read for three things: what triggers the duty (third-party claims only, or first-party losses too), whether it runs one way or both, and whether it carries a duty to defend, which is broader and more expensive than a duty to reimburse. A one-way indemnity covering vague categories like “any losses arising from the agreement” is where uncapped exposure hides. The usual ask: make it mutual, scope it to actual fault (breach, IP infringement, gross negligence), and tie any defense obligation to defined claim categories. See the deeper treatment of how indemnity and the liability cap interact.
Limitation of liability — the cap and its carve-outs.
Check the cap size (often a multiple of fees paid in a trailing period, but it varies widely), whether consequential and indirect damages are waived, whether the limitation is mutual, and — most important — what is carved out of the cap entirely. Indemnity obligations, confidentiality breaches, and data-security failures are commonly excepted; if they are not, your real exposure may be the cap, not your actual harm. The usual ask: a mutual cap, a mutual consequential-damages waiver, and carve-outs for the obligations that could actually hurt you.
Termination — convenience, cure, and wind-down.
Can either side terminate for convenience, and on what notice? Is termination for cause gated by a cure period? On the customer side, the questions that bite later are transition assistance and data return — whether you can exit without the vendor holding your operations hostage. The usual ask: a reasonable for-cause cure period, symmetric convenience rights (or none), and an express wind-down or transition-services obligation, with your data returned in a usable format.
Payment terms.
Net terms, late-payment interest, the right to suspend service for nonpayment, auto-renewal with price escalators, and any most-favored-pricing language. The clause that surprises people is automatic renewal tied to a notice window that has already closed by the time anyone looks. The usual ask: a notice window long enough to actually act on, a cap on annual increases, and cure rights before any suspension.
Intellectual property — deliverables versus background IP.
Critical in technology and services deals. Separate ownership of what is created under the contract (deliverables) from each side’s pre-existing IP (background IP). Then read the license: scope, exclusivity, term, sublicensing, and whether it survives termination. A clause assigning “all work product” can sweep in your own tools and methods. The usual ask: each party keeps its background IP; you receive ownership of, or a perpetual license to, deliverables you paid for; and the other side gets a license to anything of yours embedded in those deliverables that it needs to use them.
Warranties and disclaimers.
What is actually promised — performance to specification, a professional standard of care, non-infringement — and what is disclaimed, usually everything implied. “AS IS,” with all implied warranties disclaimed, pairs badly with a low liability cap. The usual ask: a service warranty with a meaningful remedy (re-performance or credit), and a non-infringement warranty backed by the IP indemnity.
Confidentiality.
Definition of confidential information, permitted uses, the survival period, and return-or-destroy obligations. If the deal involves an exchange of sensitive information beyond the contract itself, confirm whether a standalone NDA already governs and which document controls. The NDA triage covers the terms to check when confidentiality is the main event. The usual ask: mutual obligations, standard carve-outs (already known, independently developed, publicly available, compelled by law), and survival appropriate to the sensitivity.
Data protection and security.
If personal data or regulated data is involved — acute in healthcare and technology — determine whether a data processing addendum (DPA) or, under HIPAA, a business associate agreement (BAA) is required, and what concrete security obligations attach (encryption, access controls, breach-notification timing, audit and subprocessor terms). Vague “reasonable security” language with no breach-notice deadline is a gap. Standards here vary by jurisdiction and are actively in flux; confirm what the current rule requires. The usual ask: an appropriate DPA, specified security controls, a defined notification window, and breach costs allocated outside the liability cap.
Insurance and additional-insured status.
Required coverage types and limits (general liability, professional or E&O, cyber where data is involved), and whether you are named as an additional insured or given a waiver of subrogation. Insurance that exists but does not name you, or that is dwarfed by the indemnity you just accepted, is paper protection. The usual ask: coverage and limits proportionate to the deal’s risk, additional-insured status, a waiver of subrogation running in your favor so the counterparty’s carrier cannot sue you after paying a claim, and a certificate before work begins.
Dispute resolution.
Governing law, forum, and whether disputes go to court or arbitration — plus any escalation ladder, jury or class waiver, and fee-shifting. A prevailing-party fee clause reshapes every later settlement conversation. The usual ask: a neutral or home forum, a governing law you understand, and a fee provision you are comfortable being on either side of.
Assignment and change of control.
Can the counterparty assign the contract, or be acquired, and walk your relationship into a competitor’s hands? Anti-assignment clauses that bind you but not them are common. The usual ask: mutual consent to assignment, with a change-of-control trigger giving you a termination right if the counterparty is acquired by a competitor.
Force majeure.
What excuses performance, for how long, and whether payment obligations are excused along with delivery. Read the list of triggering events and the termination right if the event drags on. The usual ask: a balanced definition, payment obligations preserved, and a right to terminate if the excused non-performance exceeds a set period.
Clause-by-clause reference
| Clause | What to check | Typical fallback ask |
|---|---|---|
| Indemnification | Trigger, direction, duty to defend, fit with the cap | Mutual; scoped to fault; defense tied to defined claims |
| Limitation of liability | Cap size, consequential waiver, mutuality, carve-outs | Mutual cap and waiver; carve out indemnity, confidentiality, data |
| Termination | For convenience? Cure period? Transition assistance? | Reasonable cure; symmetric rights; wind-down and data return |
| Payment | Net terms, late interest, suspension, auto-renewal, escalators | Workable notice window; capped increases; cure before suspension |
| Intellectual property | Deliverables vs. background IP; license scope and survival | Keep background IP; own or license deliverables paid for |
| Warranties | What is promised vs. disclaimed | Service warranty with a real remedy; non-infringement |
| Confidentiality | Definition, carve-outs, survival, return or destroy | Mutual; standard carve-outs; survival fit to sensitivity |
| Data protection | DPA needed? Security controls, breach-notice timing | DPA; specified controls; defined notice window; costs off-cap |
| Insurance | Coverage types and limits; additional-insured status | Limits proportionate to risk; additional insured; certificate |
| Dispute resolution | Law, forum, arbitration, waivers, fee-shifting | Neutral forum; known law; fee clause acceptable either way |
| Assignment / change of control | Can they assign or be acquired and bind you? | Mutual consent; termination right on competitor acquisition |
| Force majeure | Triggers, duration, payment carve-out, exit right | Balanced; payment preserved; terminate if prolonged |
Standards and figures here vary by jurisdiction and by deal, and several areas — data protection in particular — are in active flux. Treat the asks as starting positions rather than rules, and confirm specifics against the current law and your own risk tolerance.
Read the limitation-of-liability and indemnification clauses together, never separately. They are one risk-allocation system, and a one-sided pairing — their liability capped, your indemnity uncapped — is exactly where a bad deal hides in plain sight. Either clause can look reasonable alone; the exposure appears only when you hold them up side by side.