Tom Cedoz

Quick reference · Commercial

Indemnification and Limitation of Liability: Reading the Risk-Shifting Clauses

In most commercial contracts, two clauses decide who pays when something goes wrong: indemnification and limitation of liability. They are usually negotiated last, read least, and worth the most. This is a working guide to what each one actually does and where the real money hides.

Updated June 2026· 7 sections· Prints to 2 pages

Why these two clauses, together

Indemnification and limitation of liability are read as a pair because they pull in opposite directions. Indemnification expands exposure — it makes one party responsible for costs it would not otherwise bear. Limitation of liability contracts exposure — it caps the total and strips out whole categories of damages. The net risk a contract carries is not either clause alone; it is what survives after both are applied to each other. A generous indemnity means little if the cap swallows it, and a comfortable cap means little if the indemnity sits outside it. Read them separately, then read them against one another.

Indemnification: what it actually shifts

An indemnity is a promise to absorb someone else’s loss. In its classic form it covers third-party claims — if a customer, regulator, or stranger sues you because of something the other side did, the other side pays. Some indemnities also reach direct claims between the parties, which effectively converts the indemnity into a damages provision and deserves close attention, because direct-claim indemnities can quietly route around the rest of the contract’s remedies and limits.

The questions that decide an indemnity’s real scope:

  • What triggers it? Negligence, breach of the agreement, IP infringement, data breach, violation of law, bodily injury or property damage. Each trigger is a separate risk transfer; list them deliberately rather than accepting a single broad recital.
  • Defend, or just reimburse? A “defend and indemnify” obligation requires the indemnitor to fund and run the defense as claims arise — valuable, because defense costs accrue long before liability is established. An “indemnify only” obligation may not reimburse until the matter resolves, leaving you carrying fees in the interim.
  • Who controls the defense, and who consents to settlement? The party paying usually wants control; the party whose name is on the suit wants a say. A common middle ground gives the indemnitor control of the defense but requires the indemnitee’s consent to any settlement that admits fault, imposes non-monetary obligations, or is not fully paid by the indemnitor.
  • What are the conditions? Prompt written notice, reasonable cooperation, and tender of control are typical preconditions. Confirm that a late or imperfect notice does not forfeit the entire indemnity unless the delay actually prejudiced the defense — a forfeiture-for-any-breach condition turns a procedural slip into a total loss of coverage.
  • Mutual or one-way? Mutual indemnities are normal where both parties create third-party risk. One-way indemnities are normal where only one party does — a vendor indemnifying for its product, for instance. Symmetry for its own sake is not the goal; match the indemnity to who actually generates the exposure.

Indemnities can carry their own internal limits — a cap, a basket or deductible below which no claim is paid, and a relationship to insurance (does available coverage reduce the indemnity, and is the indemnitor required to carry insurance that backs the promise?). An indemnity is only as good as the indemnitor’s ability to pay; insurance requirements and, where warranted, a parent guaranty are what make the promise collectible.

Limitation of liability: the cap and the exclusions

A limitation-of-liability clause does two distinct things. First, it sets a cap — a ceiling on total liability, expressed either as a fixed sum or, more often, as a multiple of fees paid (frequently the fees paid in the twelve months before the claim, though the measuring period varies). Second, it excludes categories of damages entirely — typically consequential, indirect, incidental, special, and punitive damages, and often lost profits and lost revenue by name.

The damages exclusion is usually best drafted as a mutual waiver. Both parties have potential consequential exposure, and a one-sided waiver tends to be the first thing the disadvantaged party attacks. A mutual waiver is easier to defend, easier to close, and usually closer to the real allocation of risk — though a buyer whose primary harm is lost profits should think hard before waiving the very damages that measure its loss. Lost profits can be either direct (the benefit of the bargain) or consequential depending on the deal, and a blanket waiver of “consequential damages, including lost profits” has been read to bar even direct lost-profit recovery — so a buyer who cares about that recovery should carve direct lost profits out of the waiver or define the term precisely.

The carve-outs — where the real money is

The most important question in the entire limitation-of-liability clause is not the size of the cap. It is which obligations sit outside the cap and remain uncapped. Carve-outs are the exceptions that say “this limit does not apply to…” — and they routinely matter more than the number they except. The categories most commonly carved out of both the cap and the consequential-damages waiver:

Common carve-outWhy it usually belongs outside the cap
Indemnification obligationsThird-party liability can vastly exceed contract fees; capping the indemnity at fees paid can leave the indemnitee exposed for the bulk of a third-party judgment.
Breach of confidentialityThe harm from a confidentiality breach is rarely measured by fees and is often consequential in nature — precisely the damages a cap and waiver would otherwise eliminate.
IP infringementInfringement exposure — damages plus injunction risk — bears no relation to the fees paid and can dwarf the deal.
Gross negligence & willful misconductCaps or releases for intentional misconduct, fraud, and willful misconduct are unenforceable in nearly every state; treatment of gross negligence and recklessness is genuinely split, and even where a cap is allowed the line between capping and full exculpation can matter. Most parties do not want to cap any of them in any event.
Data-breach / security liabilityBreach response, notification, regulatory penalties, and class exposure can be enormous and are commonly negotiated to a separate, higher cap or left uncapped.

Whether a particular carve-out is enforceable turns on public policy, and the rules differ meaningfully. A cap or release for intentional misconduct, fraud, or willful misconduct is unenforceable in nearly every state, so a cap on those rarely holds; whether a cap on gross negligence or recklessness holds at all genuinely varies by state. Confirm the carve-outs and any caps against the governing law rather than assuming the printed clause controls.

How the two clauses interact

The interaction is the whole point. A carved-out indemnity is, by design, an uncapped obligation — so an indemnity for IP infringement or a data breach that sits outside the liability cap is exposure with no ceiling, regardless of how low the headline cap appears. Conversely, an indemnity that is not carved out is silently limited by the cap and the damages exclusions, which may render it far narrower than its own text suggests. Trace each indemnity trigger through the limitation-of-liability clause and ask: capped or uncapped, and against which measure of damages?

Realistic negotiation fallbacks

  • On the cap size: if a fixed multiple of fees is resisted, separate caps work well — a general cap at, say, the fees paid, and a higher “super-cap” (a multiple of that, or a fixed larger sum) for sensitive categories like data security, with true uncapped status reserved for the few items that warrant it.
  • On carve-outs: if a counterparty resists fully uncapped indemnities, a higher separate cap for those categories is a common landing spot — preserving the principle that the cap should not swallow indemnity, IP, confidentiality, or data-breach exposure.
  • On defense: if “defend and indemnify” is resisted, require advancement of defense costs subject to repayment if indemnity is later found not to apply — this keeps the indemnitee from financing the defense.
  • On insurance: back the key indemnities with required coverage at stated limits, naming the indemnitee as additional insured where appropriate, so the promise is collectible even if the indemnitor cannot pay from its own balance sheet.

For the broader pass these clauses sit within, see the Contract Risk Review.

The thing behind the thing

The carve-outs from the liability cap matter more than the cap number itself. A “cap” that looks comfortably low can be hollow if an uncapped data-breach or IP-infringement indemnity sits outside it — that single carved-out obligation can exceed the entire value of the deal. Read the exceptions before you celebrate the ceiling.