The limitation of liability clause is consistently the last section to be finalized in enterprise SaaS negotiations. After all the details about service scope, data handling, and performance commitments have been worked out, the limitation of liability determines how much any of it actually costs you if something goes wrong.
If you’re a SaaS founder entering enterprise sales for the first time, you need to understand that procurement teams negotiate this clause strategically. They have a playbook. They know which asks look reasonable on the surface but materially expand your exposure. And they’ve done this hundreds of times before.
This post covers the most common moves enterprise procurement teams make on the liability clause and how to respond as the provider.
The Baseline You’re Defending
Before getting into procurement tactics, establish what you’re protecting. A well-structured limitation of liability for a B2B SaaS provider typically includes: a general cap on aggregate liability tied to twelve months of fees paid or payable, a mutual exclusion of consequential and indirect damages, and defined carve-outs for obligations where capping liability is inappropriate (willful misconduct, fraud). Third-party IP infringement claims are also often uncapped.
That’s your starting position. Every negotiation move from procurement is designed to expand your exposure beyond this framework.
The Moves and How to Respond
Indemnification for Data Breaches
Procurement will push for a specific indemnification obligation covering data breach costs: forensic investigation, legal fees, notification expenses, credit monitoring, regulatory fines, and third-party claims.
The risk isn’t the indemnification itself. It’s how it interacts with your liability cap. If the data breach indemnification sits outside your cap, or if it’s uncapped entirely, you’ve created a liability channel that can exceed your annual revenue from that customer by orders of magnitude.
How to respond: Accepting a data breach indemnification obligation is often reasonable in enterprise deals, but it must be subject to your limitation of liability. If procurement wants it outside the general cap, offer to include it within a supercap (two to three times the general cap) rather than leaving it uncapped.
Uncapped Liability for Indemnification Obligations
A variation: procurement pushes for all indemnification obligations to sit outside the liability cap entirely. “If your product causes us to get sued, we shouldn’t be limited in what we can recover from you.”
This is one of the most dangerous concessions a provider can make. Uncapped indemnification makes your business uninsurable for that contract and creates a diligence finding if you ever sell the company.
How to respond: Hold the line. Indemnification obligations should be subject to either the general cap or the supercap. Uncapped obligations fall outside what your insurance policy can backstop.
Supercap Structure
Enterprise procurement increasingly pushes for a tiered cap structure with a supercap for elevated-risk obligations. This is a market evolution and not an unreasonable ask. The risk is in the details.
Procurement will try to expand the list of supercap obligations beyond the standard categories — adding items like service availability failures, regulatory non-compliance, or breach of representations and warranties.
How to respond: A supercap of two to three times the general cap for a defined set of obligations (data security incidents, confidentiality breaches, indemnification) is within market norms. Push back on expanding the list. Every obligation that moves from the general cap to the supercap increases your exposure. If procurement wants to add categories, ask them to justify why that specific obligation carries elevated risk.
Tying the Cap to Available Insurance
Procurement won’t put a specific dollar number in the liability cap. Instead, they draft it as “the amount of available insurance” or “the limits of the provider’s applicable insurance coverage.” The language is intentionally open-ended so it floats with whatever your policy limit happens to be.
This is a trap. Your insurance limit is a shared resource across your entire customer base. In an incident impacting multiple customers, the policy limit needs to cover claims from all affected parties. If you’ve agreed to cap liability at your full policy limit with one customer, that customer could consume the entire limit.
How to respond: Decline. Keep your cap at a function of revenue from the specific customer relationship. You can confirm that you maintain appropriate coverage, but the cap should be tied to the economics of the relationship, not the size of your policy.
Total Fees Over the Life of the Contract Instead of Twelve Months
Procurement pushes to change the cap from “twelve months of fees paid or payable” to “total fees paid over the life of the agreement.” On a multi-year contract, this can double or triple your exposure.
On a three-year agreement worth $100,000 per year, a twelve-month cap limits your exposure to $100,000. A lifetime-of-contract cap exposes you to $300,000 and growing with every renewal.
How to respond: The twelve-month rolling cap is the industry norm because it ties liability to the current value of the relationship, not cumulative historical spend. If this becomes a deal blocker, you can move to an 18 or 24 month rolling cap as a compromise.
The “Greater Of” Floor
Procurement drafts the cap as “the greater of $X and twelve months of fees,” where X is a fixed dollar amount representing a multiple of the annual contract value.
The problem is proportionality. A $50,000 per year customer with a $500,000 floor has generated a cap that has no relationship to the economics of the deal.
How to respond: If procurement wants a floor, it should be proportional to the contract value. A floor at 1.5 to 2 times annual fees can be reasonable for larger enterprise deals. Anything beyond that, push back on the math.
Broadening Confidentiality to Include Customer Data, Then Carving It Out of the Cap
This is one of the more sophisticated procurement moves. It happens in two steps that may come in separate redlines, making it harder to see the combined effect.
First, procurement expands the definition of Confidential Information to explicitly include Customer Data. Second, procurement adds a carve-out in the limitation of liability section for breaches of confidentiality obligations.
The combined effect: every data incident is now a confidentiality breach, and confidentiality breaches sit outside the liability cap. You’ve effectively uncapped your liability for data incidents through the interaction of two provisions that each looked reasonable on their own.
How to respond: Either exclude Customer Data from the definition of Confidential Information (govern it through the DPA instead) or resist the carve-out from the liability cap. If procurement insists on both, you need to understand that the combined effect is uncapped data incident liability.
The Principle Behind Every Response
The common thread: keep your liability proportional to the value of the customer relationship, and make every concession intentionally rather than incrementally.
Procurement teams are skilled at breaking large asks into smaller, seemingly reasonable edits spread across multiple redlines. Each individual change looks minor. The cumulative effect is a liability framework that no longer protects you. Read every edit in the context of the full clause, not in isolation.
And remember: every concession you make on liability in one customer agreement becomes a data point in diligence if you sell your company. A customer base with inconsistent liability positions across agreements is a risk finding that gets priced into the deal.
No Boiler provides self-service legal document generation and educational content. This material is general in nature and is not a substitute for legal advice. Please have a qualified attorney review any documents before relying on them.