Limitation of liability clauses are the most negotiated provisions in B2B contracts. They're also, paradoxically, among the least carefully read. The negotiation usually happens at the macro level — we want a 12-month cap, they want 3 months, we land at 6 — and the details of what that cap actually applies to, and what's excluded from it, get resolved by default rather than by decision.
That gap between negotiated headline and unexamined detail is where most post-signature surprises originate.
The Cap Amount Is the Easy Part
In a typical SaaS vendor agreement, the limitation of liability clause caps direct damages at some multiple of fees paid — often 12 months' fees, sometimes 6, sometimes 3. The negotiation focuses on which multiple. That negotiation matters, but it's not where the clause complexity lives.
The clause structure that actually determines risk has three components: the cap amount, the carve-outs from the cap (claims that are uncapped or subject to a higher cap), and the exclusion of consequential damages (which typically runs separately from the cap, as an outright exclusion of a category of damages rather than a ceiling on them). Reading only the cap amount without reading the carve-outs and the consequential damages exclusion is like reading only the headline of a term sheet.
Carve-Outs: What's Actually Uncapped
The carve-outs from the liability cap are where the real exposure lives. Most vendor agreements carve out the following from the cap, meaning these claims can exceed whatever the cap amount is:
Indemnification obligations — particularly IP indemnification. If the vendor infringes a third party's IP and you're dragged into the resulting litigation, a cap of 6 months' fees is essentially irrelevant. The vendor's liability to you for IP claims is often uncapped, or subject to a much higher separate cap.
Confidentiality breaches. A vendor that exposes your confidential information — customer data, pricing, proprietary processes — typically has uncapped liability for that exposure in well-drafted agreements. But "well-drafted" is doing a lot of work in that sentence. Check whether your vendor's agreement actually makes this carve-out explicit, or whether their standard form runs the confidentiality liability through the general cap.
Willful misconduct and gross negligence. These carve-outs are common but not universal. A vendor agreement that doesn't carve out willful misconduct from the liability cap is one where intentional bad behavior is still subject to a 3-month fee ceiling. That's a clause worth pushing back on.
Death or personal injury. Required by law in many jurisdictions; check whether the clause is present regardless of what the vendor's base template says.
The practical takeaway: when you read a LOL clause, read the carve-out list with as much attention as the cap amount. The carve-outs determine the universe of claims that can exceed the cap, which is usually a more consequential question than whether the cap is 6 months or 12.
The Consequential Damages Exclusion Is Not the Same as the Cap
Most lawyers understand this distinction in the abstract, but the application gets muddled under time pressure. The liability cap limits direct damages — the vendor's total direct liability to you is capped at X. The consequential damages exclusion is different: it eliminates an entire category of damages (lost profits, loss of business, loss of data, loss of goodwill) entirely, regardless of what the cap amount is.
This means a well-crafted LOL clause from a vendor's perspective looks like this: total liability capped at 3 months' fees (for direct damages), plus no liability whatsoever for indirect or consequential damages. In that structure, even if a vendor's failure costs you $2 million in lost business, you may be limited to recovering the 3-month fee cap for your direct damages, with the consequential damages entirely excluded.
The consequential damages exclusion is usually mutual — your liability to the vendor for consequential damages is similarly excluded. Whether that mutuality is favorable to you depends on the nature of the contract. If you're the one holding the more sensitive data or the one with more significant consequential exposure, you might actually prefer a mutual exclusion. But if the vendor's failure to perform would cause you significant consequential harm and the vendor's exposure to you would only be direct, you're in a structurally asymmetric position.
Mutual vs. Asymmetric Caps
The most common structure in vendor-drafted agreements is a symmetric cap — both parties are subject to the same cap amount. This sounds fair and often is, but it's worth examining whether the factual risk distribution is actually symmetric.
Consider a scenario: a growing company signs a SaaS agreement with an infrastructure vendor for a business-critical workflow automation tool. Annual fees are $80,000. The LOL clause caps both parties at 12 months' fees — $80,000. The vendor's risk from misperforming is capped at $80,000. The company's risk if the vendor's service causes a data exposure or operational failure could be materially higher — regulatory penalties, customer notification costs, reputational damage, downstream contract breaches. The cap is symmetric; the actual risk is not.
We're not saying symmetric caps are wrong — in most commodity vendor relationships they're entirely reasonable. The question is whether the risk profile of the specific contract justifies asking for an asymmetric structure, a higher cap for specific claims, or additional insurance requirements that backstop the contractual cap.
When to Push Back (and When Not To)
The reflexive approach to LOL clauses in some legal teams is to always push for a higher cap and always try to narrow the consequential damages exclusion. This creates unnecessary friction in vendor relationships and often doesn't improve the practical risk position.
The more disciplined approach is risk-tiered: for commodity, low-value, easily replaceable vendor relationships, accepting a standard 6-month fee cap with mutual consequential exclusion is usually fine. For vendors with access to sensitive customer data, for business-critical integrations with significant operational dependency, or for vendors in relationships where failure could trigger downstream contractual breach on your side, the LOL structure warrants real negotiation.
What to ask for in high-risk vendor relationships: uncapped liability for confidentiality breaches and data security incidents, a higher general cap (24 months or higher for critical infrastructure), carve-out of consequential damages for confidentiality breaches and IP indemnification claims, and a requirement for adequate cyber liability insurance with the company named as additional insured. Most of this is commercially standard in enterprise software agreements and won't kill a negotiation if introduced early.
The LOL clause gets signed every day in transactions where nobody on either side has read it carefully. Usually that's fine. When it's not fine, it's the kind of not-fine that produces multi-year disputes. Knowing which of your contracts carry enough risk to warrant careful clause-level review is the core judgment call — and that judgment has to be made before signature, not after.