Indemnification and limits of liability are two of the most heavily negotiated sections in any SaaS agreement, and they touch each other in ways that are easy to miss. AI provisions dominated the last year and a half of contract drafting conversations, but the core SaaS issues never went away. They still drove most of the back and forth on these deals.
This mini course was hosted by Laura Frederick and featured David Cohen, founder of Tech Attorney Cohort. David has practiced in technology for over twenty years across cybersecurity, ad tech, and e-commerce, and now runs a training platform for technology attorneys and contract managers. He brought a structured framework for analyzing indemnities that worked across both standard IP infringement claims and the much messier security event scenarios, which made the conversation useful for anyone who reviews SaaS agreements regularly.
The mini course walked through how IP infringement and security event indemnities should be treated differently, when a first party indemnity for breach of contract is actually appropriate, how to think about liability caps for data protection, and the practical problem of capping defense costs in IP litigation.
Here are our top ten takeaways from the speakers' comments during the webinar:
Look at where the real costs land BEFORE arguing over indemnity scope. In IP infringement claims, the biggest cost is litigation, and the vendor is defending either way. The customer's role is mostly being the defendant on paper. Even mitigation costs like rewriting infringing code fall on the vendor under standard clauses. That means a narrow IP indemnity often covers what you actually need as a customer.
Watch the remedies clause for backdoor exits. Many IP indemnities give the vendor a refund-and-walk-away option when a workaround gets too expensive. We have seen vendors use that as a backdoor to drop customers they have decided are not worth the trouble. The prorated refund rarely matches the customer's real switching costs, so flag this language even on deals where the rest of the indemnity looks fine.
Treat security event indemnities differently from IP infringement indemnities. A vendor can comply with every security obligation in the contract and still get hit by a sophisticated attack. Indemnifying for the event itself, not just a breach of the security schedule, means writing checks for things outside the vendor's control. Push back on the event-based version where you can, and shift the conversation to enhanced caps or expanded losses instead.
Use a three question framework to test whether an indemnity is appropriate. Does the indemnifying party have meaningful control over what triggers the indemnity. Does the indemnified party have a relationship with the claimant and want to handle the matter. Is there another remedy under the contract for the same issue. If the answers point against an indemnity, move the conversation to the limitation of liability clause.
Recognize when a first party indemnity is just a breach of contract claim in disguise. When the indemnity starts looking like a breach of contract claim, you might not need the indemnity. The real concern is usually the scope of losses, and that belongs in the limitation of liability clause. There is also a timing wrinkle. If the indemnifying party disputes whether there was a breach, you are right back in the same fight you would have under breach of contract.
Anchor liability cap conversations to the IBM Cost of a Data Breach report. There is no accepted market standard for enhanced caps on data protection. The IBM report publishes concrete numbers on breach costs by country, industry, and data type. Bring it to negotiations and especially to internal escalations. The numbers are usually lower than people assume.
Get your business team in the room for liability caps. The CISO, the data security team, whoever actually knows what data is being shared and how sensitive it is. Picking a number out of the air is the worst way to set a cap. You want an evidence-based estimate, not a guess dressed up as legal judgment.
Bucket your remedies so they do not collide. Service level credits as a sole and exclusive remedy work only if the breach they cover is narrowly defined. Anything outside that bucket should remain subject to other contract remedies. We have seen this carved into 48-hour or first-week windows for downtime credits, with anything beyond that triggering the warranty or general breach remedies.
Resist caps on IP defense costs even when you cannot get uncapped indemnity overall. A capped defense becomes useless once the cap hits two days into a trial. Push for uncapped defense costs and a separate cap on the judgment payment. Otherwise the vendor walks away mid-trial and the customer is left defending a claim against the vendor's own IP without the same incentive to win.
Carve out exceptions when you give an indemnity for confidentiality-related claims. If the only reason a third party even knows the vendor has the data is because the vendor breached its confidentiality obligations, the indemnity should not apply. The general concept of a customer indemnity for third party claims is not unreasonable, but it needs guardrails so the customer is not on the hook for the vendor's own missteps.
Subscribe to Stay in the Loop
Our weekly newsletter brings you future webinar invitations and recaps like this one straight to your inbox. Subscribe now so you do not miss the next mini course.
