Buried in nearly every business-to-business contract is a clause that caps the vendor’s total liability at some small number โ often the previous twelve months of fees paid, sometimes a fixed dollar amount, occasionally something even smaller. The clause is so standard that most people sign past it. The effect is that when something goes catastrophically wrong, the customer’s contractual remedy is almost always less than the actual damage, and the vendor’s exposure is essentially capped at giving back what they’ve already been paid.
The math is asymmetric on purpose
Imagine a SaaS contract for $10,000 a month. The limitation of liability clause caps damages at twelve months of fees โ $120,000. The vendor processes data that, if breached, exposes the customer to regulatory fines of $2 million and customer notification costs of $500,000. The contract says: vendor’s maximum exposure is $120,000. The actual harm is over $2.5 million. The customer absorbs the rest. This isn’t a hypothetical. It’s the standard structure in software, professional services, cloud hosting, and most enterprise vendor relationships. The vendor’s insurance is priced against the cap; the customer’s risk is priced against the harm; and the pricing of the contract itself reflects the vendor’s exposure, not the customer’s. Customers are effectively self-insuring most of the downside without realizing it.
The carve-outs matter more than the cap
Standard limitation clauses have carve-outs โ categories of liability that aren’t capped. The most common are gross negligence, willful misconduct, indemnification obligations, breach of confidentiality, and intellectual property infringement. A negotiated contract pays close attention to those carve-outs because they’re where actual recovery is possible. Data breach is sometimes carved out, sometimes not; getting it carved out, or getting a higher cap specifically for data breach exposure, is one of the most valuable contractual moves a customer can make. Vendors will resist, and the resistance tells you what they think they might be liable for. A vendor unwilling to agree to any carve-outs is telling you they intend to be on the hook for nothing.
Insurance is the actual backstop
The realistic recovery in most vendor failures is the vendor’s commercial general liability or cyber insurance, not the contract itself. Customers who care about this require certificates of insurance with specific coverage limits and additional insured endorsements. The vendor’s policy then becomes part of the negotiation: what’s the per-occurrence cap, what’s the aggregate, what’s covered, what’s excluded, and is there enough coverage to address the actual risk profile of the engagement. Sophisticated buyers will sometimes require vendors to carry tech E&O or cyber liability with limits matching the customer’s potential exposure. Less sophisticated buyers sign whatever language is offered and find out the limits when they need them.
The takeaway
A contract is only as enforceable as its remedies. If the limitation of liability clause caps damages below the realistic harm and there are no carve-outs for the categories that actually matter, you don’t have a contract โ you have a price list with legal language attached. Read those clauses, negotiate them, and require insurance that fills the gap. Skipping that work is fine until something goes wrong, which is precisely when it stops being fine.
Leave a Reply