Clauses
Open

Handling third party claims

X.X.  Provider’s Obligations to Handle Cloud Services IP Claims.  If Customer receives a Service Infringement Claim from an Outside Entity (including after the end of a Service Period), and that Claim is not solely the result of Customer’s Improper Customization; Customer’s use of a Trial or Pre-Release Feature; or the Provider’s implementation of Customer’s specifications, instructions, or requirements; and Customer complies with the requirements in the Section “Claim Coordination” below, then, at its own expense, Provider shall do the following as Customer’s only legal remedies for that Claim:

  1. defend Customer from and against the Claim;
  2. pay, on behalf of Customer, all amounts awarded against Customer (including reasonable attorneys’ fees) as a result of the Claim, or any amounts agreed by Provider to be paid in settlement of the Claim; and
  3. if the Claim results in a settlement or court order prohibiting Customer from using any part of the Cloud Services, then either: (i) obtain the necessary rights for Customer to continue using the Cloud Services, if commercially reasonable; (ii) implement an Infringement Mitigation, if feasible; or (iii) if neither of those options is available, proceed with Early Termination in accordance with the “Early Termination” Section, and issue a Prorated Refund to Customer.
  4. {"name":"Reimburse the Customer","addText":"reimburse the Customer for all the Customer's expenses in helping to defend the claim."}

{"name":"Claims involving Trials and Pre-Release","addText":"If the claim involves the Customer’s use of a Trial or Pre-Release Feature, the Provider's  obligations shall be limited to ..."}

Optional variations
Modify text below to replace it.
Oops! Something went wrong while submitting the form.
{"optionalVariations":{"option1":{"name":"Claims involving Trials and Pre-Release","addText":"If the claim involves the Customer’s use of a Trial or Pre-Release Feature, the Provider's obligations shall be limited to ...","afterText":"</li></ol>","displayedText":"Carve out Claims involving Trials and Pre-Release Features"},"option2":{"name":"Reimburse the Customer","addText":"<li>reimburse the Customer for all the Customer's expenses in helping to defend the claim.</li>","afterText":"and issue a Prorated Refund to Customer.</li>","displayedText":"Reimburse the Customer for helping to defend a Claim"}}}
Before you copy and paste
  • Should we carve out Claims involving Trials and Pre-Release Features?<endsummary>By default, this clause does not carve out Trials or Pre-Release Features. If you offer them, consider adding a carveout so the Provider is not responsible for Claims related to those features.  If not, you can leave it out.Select this variation in the “Optional Variations” panel to add this carveout to the clause.
    • If your agreement already addresses this carveout elsewhere (such as in a separate section or attachment), adding it here might be unnecessary.
    • If it does not, adding it here can help make clear that the Provider’s obligations do not apply to those features.
  • Should we reimburse the Customer for helping us defend a claim?<endsummary>
    • By default, this clause does not require the Provider to reimburse the Customer for costs incurred while assisting with a Claim. But in practice, defending a Claim, especially an IP Claim, often depends on the Customer’s support. The Provider may need technical explanations, usage information, and other help to respond fully and accurately.
    • Adding this clause gives the Customer a right to recover reasonable costs tied to investigation, defense, or settlement. The term “reasonable” is not defined, so the parties may still disagree later about which specific costs are covered. But including the clause can avoid a broader dispute over whether the Provider is responsible for support costs at all, which can make cooperation more reliable.
    • Leaving this clause out allows the Provider to keep the scope of its obligations narrower, and handle reimbursement requests on a case-by-case basis.
    • Select this variation in the “Optional Variations” panel to add the reimbursement obligation to the clause.
  • Should we carve out Claims involving Customer-provided specifications or instructions?<endsummary>This clause assumes the Provider is offering standardized Cloud Services, where the same service is delivered to all customers without tailoring.If your deal includes customized services, such as custom builds, white-label versions, or configurations based on the Customer’s instructions, ask whether that work is clearly defined as a separate service (such as onboarding or professional services) and excluded from the definition of Cloud Services.
    • If the custom work is treated as a separate service, this clause does not apply to it, and no carveout is needed.
    • If the custom work is treated as part of the Cloud Services, consider adding a carveout for Claims caused by following Customer-provided specifications, instructions, or requirements.
  • Is our User Documentation clear enough to support the Customer’s Improper Customization carveout?<endsummary>For the carveout to work, the Provider needs to show that the Customer used the Cloud Services in a way that strays from how they are meant to be used under the User Documentation. That makes the User Documentation an important part of how the carveout applies.This clarity is especially important if the Customer:
    • Modifies the Cloud Services;
    • Combines them with other software, tools, or systems;
    • Uses integration points in ways that are not documented or are discouraged.
    These kinds of usage boundaries are hard to fully capture in the contract. Cloud Services are often designed to be configurable, work with other tools, and run in many different environments. That flexibility is part of their value. But it also makes it difficult to list every unsupported or discouraged use in the agreement itself.That is why this carveout relies on User Documentation. It can define clearer technical boundaries, evolve alongside your services, and help show when a Customer went beyond the expected use.
  • If we offer downloadable software, do we need a carveout for use of outdated versions?<endsummary>This issue only comes up if your Cloud Services include downloadable software components. If everything runs in the cloud and users don’t install anything locally, you can skip this.But if customers have to download and run software, consider whether they are also required to update that software to keep using the Cloud Services.
    • If customers can continue using outdated versions, the Provider could be responsible for infringement claims tied to the outdated code, even if a newer, non-infringing version is available. A carveout can help limit that risk.
    • If the Cloud Services stop working unless the software is updated, the Provider controls which version is in use, so a carveout may not be needed.
    The current clause assumes that the Cloud Services are designed to prevent continued use of outdated software. If that is not the case, a carveout may help clarify that the Provider is not responsible for issues that could have been avoided by updating.

Why we wrote it this way
  • Why we leave out the phrase “hold harmless”<endsummary> “Hold harmless” is a familiar phrase, but not a clear one. Courts across the U.S. disagree on what it means, and whether it adds anything to an indemnity clause. Most jurisdictions treat “hold harmless” as a synonym for “indemnify,” but some courts try to give it independent meaning, suggesting it offers broader protection, such as covering the risk of loss rather than just reimbursement after costs are incurred. That kind of ambiguity can create disagreement later.  If courts or the parties themselves don’t read the phrase the same way, it can lead to arguments about what the clause really requires. If the parties want to draw distinctions about the types of protections or costs this clause covers, it’s better to say that directly.That’s why this clause leaves out “hold harmless” and instead states clearly what the Provider is responsible for.
  • Why we use “pay” instead of “indemnify”<endsummary> We’re not against the word “indemnify.” We just don’t think it adds clarity.On its own, “indemnify” can be vague. Courts and lawyers don’t always agree on what it includes: whether it means reimbursing, paying upfront, or protecting someone from having to incur a cost at all.Even when paired with a list of covered losses, “indemnify” doesn’t make it clear when the Provider must pay. Is it only after a judgment? After the Customer pays out of pocket? Or does it include advancing costs during the claim? That lack of clarity creates confusion.That’s why this clause just says what we mean:
    • pay amounts awarded in the Claim
    • cover settlement payments
    • reimburse reasonable costs of assisting with the Claim (if that optional language is included)
    That’s the substance of indemnification, without relying on legal shorthand.Using “pay” doesn’t narrow the obligation. It just makes it easier for lawyers, business teams, and courts to see what’s covered and when payment is required.
  • Why we include an obligation for the Provider to “defend” the Customer<endsummary>In SaaS deals, it’s often in both parties’ interests for the Provider, not the Customer, to handle the defense in a Service Infringement Claim. Litigation is resource-intensive, but the Provider usually wants to control lawsuits that challenge the intellectual property rights in their Cloud Services. That is especially true if they are already defending similar claims against themselves or other customers. And while Customers often prefer to control their own legal defense, many are happy to defer in this situation. The Provider typically has both the knowledge and the incentive to defend aggressively, particularly when the outcome could affect every customer using the service.
  • Why the Provider’s obligations continue after the Customer’s access ends<endsummary>The Provider’s responsibility doesn’t end just because the Customer’s access does.If a Service Infringement Claim comes in later, even after Service Closure, this clause makes clear that the Provider is still obligated to defend and pay.That is typical in SaaS agreements. Most say that indemnification obligations “survive” the agreement, but they bury that point in a separate survival clause. We think it’s clearer to say it directly. No cross-referencing. Just a clause that explains when it applies.
  • Why we include a carveout for the Customer’s Improper Customizations<endsummary>This carveout limits the Provider’s responsibility when a claim arises from something the Customer did, such as modifying the Cloud Services, combining them with other tools, or using them in unsupported ways. The goal is simple: to avoid making the Provider liable for risks it cannot reasonably control. But this carveout can also make enforcement more complex. When a claim arises, the Provider typically needs to act quickly to take control of the defense. The carveout introduces a threshold question: does the Provider even have an obligation to defend? That question often turns on facts that are not clear at the outset. Was the alleged infringement caused by something the Customer did? By a third-party integration? Or by the Cloud Services as delivered? Sorting that out can delay the Provider’s response or create friction between the parties at a time when coordination matters most. In some cases, the uncertainty may even affect whether the claim is resolved efficiently or escalates. Even so, we chose to include the carveout. The risk of friction or delay is real, but it’s outweighed by the importance of setting clear boundaries around the Provider’s responsibility. If the Customer introduces a risk the Provider did not create or control, it is reasonable to exclude that from the Provider’s indemnity obligations and to work through any case-specific gray areas if and when they arise.
  • Why we specify the costs that the Provider must cover<endsummary>Instead of using broad terms like “liabilities” or “losses,” we spell out exactly what the Provider must cover: (1) amounts awarded or settlement payments; (2) costs of defending the claim; and (3) costs Customer incurred while assisting with investigation, defense, and settlement (if that optional language is included). General terms like "losses" can be interpreted to sweep in broader harms, such as lost profits or business interruption, that usually go beyond what indemnities are meant to cover. Naming the categories directly helps clarify the obligations and reduce the risk of disputes later.
  • Why we avoid listing affiliates or other protected parties<endsummary>Some agreements list affiliates, employees, or other individuals or entities as additional indemnified parties. We do not. This clause focuses on the relationship between the two contracting parties: the Provider and the Customer.  Our rationale:
    • A Provider cannot fulfill its defense obligations effectively without coordinating with the party it is defending. That coordination includes timely notice, strategy decisions, settlement approval, and ongoing cooperation. Without a direct contractual obligation to cooperate with that entity, it is not practical for a Provider to take on responsibility for defending that entity.
    • Limiting the clause to the Customer avoids complicated legal questions about whether non-Customer entities truly qualify as third-party beneficiaries with a direct and enforceable right under the contract.
    Even so, many agreements still include broader lists of indemnified parties. This often reflects a customer’s desire for broader perceived protection across their ecosystem. For providers, accepting broader language, despite the legal and practical challenges mentioned above, is often a pragmatic business decision. In many SaaS contexts, the likelihood of a messy defense is low, and the perceived benefits of faster deal-making, customer goodwill, or market norms may outweigh those risks.Still, for clarity and control, if the goal is to protect specific non-Customer entities, a potentially better approach is to create a separate clause or add language that clearly defines the Provider’s obligations toward them. Simply listing additional parties here, without adjusting the obligations, creates uncertainty about what protections they have and how those protections are enforced.

Definitions
  • Service Infringement Claim<endsummary>a Claim that the Cloud Services, as used by Customer in accordance with this Agreement, infringe or misappropriate others’ Intellectual Property Rights.
  • Customer’s Improper Customization<endsummary>Customer’s modification, change, or combination of the Cloud Services with other software, systems, or data that: (1) results in infringement or misappropriation of others’ Intellectual Property Rights, and (2) would not have resulted in that infringement or misappropriation if Customer had used the Cloud Services as described in the User Documentation.
  • Infringement Mitigation<endsummary> modifying or replacing the allegedly infringing portion of the Cloud Services to make it non-infringing, without substantially impairing the Cloud Services’ primary features.
  • Trial<endsummary>means a limited time period during which Customer may use the Cloud Services on a free or trial basis, as specified in the applicable Order.
  • Pre-Release Features<endsummary>optional features, functionalities, or services that Provider invites Customer to use before they are generally available to all customers.
  • Early Termination<endsummary>nding a Service Period before its expiration date.
  • Claim<endsummary>any demand, notice, investigation, action, suit, or proceeding.
  • Prorated Refund<endsummary>a refund of prepaid fees covering the period from the effective date of termination to the end of the Service Period.
  • Service Period<endsummary>the period beginning on the Service Start Date and continuing for the service duration, as specified in each Order.

Related clauses
  • Limitation of Liability<endsummary>The Limitation of Liability clause sets financial boundaries on each party’s responsibility if something goes wrong, helping both sides manage risk and prepare for worst-case scenarios. One of those scenarios is a lawsuit from an Outside Entity.  This clause addresses that risk through a defense obligation, where the Provider steps in, takes control, and handles the entire claim. For that to work smoothly, the Customer needs confidence that the Provider has both the incentive and financial ability to see the defense through. Capping liability can undercut that structure. Once the cap is reached, the Provider may no longer be required to continue defending the claim. That creates real disruption: a midstream handoff of a live legal claim is rarely smooth. It can mean switching law firms, shifting strategies, and restarting coordination, all while the claim continues to move forward. The result is delay and confusion. If your agreement includes a liability cap, consider carving out this clause. Leaving it uncapped keeps the Provider responsible for the full scope of defense and resolution.
  • Survival<endsummary>Make sure the Survival section is consistent with this clause.  As written, the Provider’s obligation lasts indefinitely (”including after the end of a Service Period”)

X.X.  Customer’s Obligations.  Customer will have the following obligations to handle claims arising from misuse.
If Provider receives a Claim from an Outside Entity (including after the end of a Service Period) and that Claim arises from Customer’s Infringing or Unlawful Content{"name":"Narrower claims - Infringement only", "deleteText":", Customer's violation of the \u201cProhibited Data\u201d Section, or Customer's use of the Cloud Services for a High Risk Activity or unlawful purpose"}, and Provider complies with the requirements in the “Claim Coordination” Section, then, at its own expense, Customer shall do the following:

  1. defend Provider from and against the Claim; and
  2. pay, on behalf of Provider, all amounts awarded against Provider (including reasonable attorneys’ fees) as a result of the Claim, or any amounts agreed by Customer to be paid in settlement of the Claim.
Optional variations
Modify text below to replace it.
Oops! Something went wrong while submitting the form.
{ "optionalVariations": { "option1": { "name":"Narrower claims - Infringement only", "afterText":"Unlawful Content", "deleteText":", Customer\u2019s violation of the \u201cProhibited Data\u201d Section, or Customer\u2019s use of the Cloud Services for a High Risk Activity or unlawful purpose,", "displayedText":"Narrow the scope to cover infringement claims only" }}}
Before you copy and paste
  • Should we include this “Customer’s Obligations…” clause at all?<endsummary>This clause isn’t mandatory. While many Providers include a Customer indemnity to shift responsibility for certain nonparty claims, others leave it out, especially when the risks are low or the clause might cause unnecessary negotiation friction.The risks covered here, like infringing content, are relatively low in B2B SaaS.  Most platforms are used internally, which means content typically isn’t public-facing, so the chances of defamation, copyright infringement, or similar claims are lower, compared to B2C contexts. And even when content issues arise, they’re often resolved by removing the content, not through lawsuits.Still, these risks are not zero. Customers may upload or generate infringing content, submit sensitive or regulated data without proper consent, or use the Cloud Services in ways the Provider did not intend or permit. Even if the Provider is not at fault, it may be pulled into a third-party dispute or regulatory inquiry, and the associated defense and payment costs could be significant.You may want to include this clause if:
    • your platform supports public or user-generated content;
    • customers might upload others’ sensitive or regulated data (like health, student, or financial information);
    • your Cloud Services could be used in risky or unintended ways; or
    • you're generally trying to reduce exposure to edge-case claims involving customer misuse.
    But if those risks feel remote, and you’d rather avoid drawn-out negotiations with customers, it’s also reasonable to leave the clause out.
  • Should we expand the clause to cover other types of claims?<endsummary>Some platforms carry a greater risk of third-party claims, not just because of what customers upload, but also because of how they use the Cloud Services in regulated or sensitive environments. These risks can come from Customer conduct that violates laws, creates regulatory exposure, or causes harm to others.You may want to broaden the clause if any of the following are true:
    • The Cloud Services are likely to be used in regulated sectors such as healthcare, finance, or education, or in other contexts that involve regulatory risk, such as government use, HR decision-making, or targeted advertising.
    • Customers may use the Cloud Services in ways that violate laws designed to protect others, such as anti-discrimination, marketing, or surveillance laws.
    • A regulator or third party might reasonably expect the Provider to be responsible if a Customer misuses the platform.
    If these risks do not apply, a narrower clause may be sufficient and easier to get through negotiations.
  • Should we narrow the clause to focus only on infringement claims?<endsummary>
    • If the primary concern is that Customers might upload infringing content, and the Cloud Services are not used in high-risk or regulated contexts—then limiting the clause to infringement may offer enough protection.
    • A narrower version still provides meaningful protection in many B2B SaaS scenarios. And it may reduce the time spent negotiating indemnity language.

Why we wrote it this way
  • Why we leave out the phrase “hold harmless”<endsummary>“Hold harmless” is a familiar phrase, but not a clear one. Courts across the U.S. disagree on what it means, and whether it adds anything to an indemnity clause. Most jurisdictions treat “hold harmless” as a synonym for “indemnify,” but some courts try to give it independent meaning, suggesting it offers broader protection, such as covering the risk of loss rather than just reimbursement after costs are incurred. That kind of ambiguity can create disagreement later.  If courts or the parties themselves don’t read the phrase the same way, it can lead to arguments about what the clause really requires. If the parties want to draw distinctions about the types of protections or costs this clause covers, it’s better to say that directly. That’s why this clause leaves out “hold harmless” and instead states clearly what the Provider is responsible for.
  • Why we use the word “pay” instead of “indemnify” <endsummary>We’re not against the word “indemnify.” We just don’t think it adds clarity.On its own, “indemnify” can be vague. Courts and lawyers don’t always agree on what it includes: whether it means reimbursing, paying upfront, or protecting someone from having to incur a cost at all.Even when paired with a list of covered losses, “indemnify” doesn’t make it clear when the Customer must pay. Is it only after a judgment? After the Provider pays out of pocket? Or does it include advancing costs during the claim? That lack of clarity creates confusion.That’s why this clause just says what we mean:
    • pay amounts awarded in the Claim
    • cover settlement payments
    That’s the substance of indemnification, without relying on legal shorthand.Using “pay” doesn’t narrow the obligation. It just makes it easier for lawyers, business teams, and courts to see what’s covered and when payment is required.
  • Why we include an obligation for the Customer to “defend” the Provider<endsummary>When a third party brings a claim based on Customer conduct, such as uploading infringing content, submitting regulated data without consent, or using the Cloud Services for an unlawful purpose, the Customer is the one with the relevant facts. The Provider may have had no visibility into the conduct and played no role in it. This clause requires the Customer to lead the defense so that the party best positioned to respond quickly and accurately is the one handling the claim.
  • Why the Customer’s obligations continue after it stops using the Cloud Services<endsummary>The Customer’s obligations don’t just end because the Customer’s access does. If a Claim shows up later, even after Service Closure, this clause makes  clear that the  Customer is still obligated to defend and pay. That is typical in SaaS agreements. Most say that indemnification obligations “survive” the agreement, but they bury that point in a separate survival clause. We think it’s clearer to just say it here. No cross-referencing. Just a clause that explains when it applies.
  • Why we specify the costs that Customer must cover<endsummary>Instead of using broad terms like “liabilities” or “losses,” we spell out exactly what Customer must cover: (1) amounts awarded or settlement payments; and (2) costs of defending the claim. General terms like "losses" can be interpreted to sweep in broader harms, such as lost profits or business interruption, that usually go beyond what indemnities are meant to cover. Naming the categories directly helps clarify the obligations and reduce the risk of disputes later.
  • Why we leave out any obligation to reimburse assistance costs<endsummary>Unlike the Provider indemnity for Service Infringement Claims, in which Provider is obligated to reimburse Customer for reasonable costs it incurred while assisting with Provider’s defense, this clause doesn’t include any reimbursement obligation. Here, the Customer controls the defense and is responsible for resolving the claim. The Customer might occasionally request help from the Provider, like access to logs, product behavior details, or technical background, but that assistance tends to be specific and limited. By contrast, Service Infringement Claims often require deeper, ongoing involvement from the Customer to support the Provider’s defense of its Cloud Services. That’s why reimbursement appears in the Provider clause but not here.  Including it in this clause would likely create negotiation friction without addressing a frequent or high-burden need.
  • Why we avoid listing affiliates or other protected parties<endsummary>Some agreements list affiliates, employees, or other individuals or entities as additional indemnified parties. We do not. This clause focuses on the relationship between the two contracting parties: the Provider and the Customer.  Our rationale:
    • A Customer cannot fulfill its defense obligations effectively without coordinating with the party it is defending. That coordination includes timely notice, strategy decisions, settlement approval, and ongoing cooperation. Without a direct contractual obligation to cooperate with that entity, it is not practical for the Customer to take on responsibility for defending that entity.
    • Limiting the clause to the Provider avoids complicated legal questions about whether non-Provider entities truly qualify as third-party beneficiaries with a direct and enforceable right under the contract.
    Still, for clarity and control, if the goal is to protect specific non-Provider entities, a better approach is to create a separate clause or add language that clearly defines the Customer’s obligations toward them. Simply listing additional parties here, without adjusting the obligations, creates uncertainty about what protections they have and how those protections are enforced.

Definitions
  • Customer’s Infringing or Unlawful Content<endsummary>Customer Content that violates or infringes others’ Intellectual Property Rights, privacy rights, publicity rights, or other legal rights, including rights to prior consent.
  • High Risk Activity<endsummary>an activity (such as operation of nuclear facilities, air traffic control, life support systems, or emergency services) where the use or failure of the Cloud Services or a particular feature of the Cloud Services would reasonably be expected to lead to death, personal injury, or environmental or property damage.
  • Claim<endsummary>any demand, notice, investigation, action, suit, or proceeding.
  • Service Period<endsummary>the period beginning on the Service Start Date and continuing for the service duration, as specified in each Order.

Related clauses
  • Limitation of Liability<endsummary>The Limitation of Liability clause sets financial boundaries on each party’s responsibility if something goes wrong, helping both sides manage risk and prepare for worst-case scenarios. One of those scenarios is a lawsuit from an Outside Entity. This clause addresses that risk through a defense obligation, where the Customer steps in, takes control, and handles the entire claim. For that to work smoothly, the Provider needs confidence that the Customer has both the incentive and financial ability to see the defense through. Capping liability can undercut that structure. Once the cap is reached, the Customer may no longer be required to continue defending the claim. That creates real disruption: a midstream handoff of a live legal claim is rarely smooth. It can mean switching law firms, shifting strategies, and restarting coordination, all while the claim continues to move forward. The result is delay and confusion. If your agreement includes a liability cap, consider carving out this clause. Leaving it uncapped keeps the Customer responsible for the full scope of defense and resolution.
  • Survival<endsummary>Make sure the Survival section is consistent with this clause.  As written, the Customer’s obligation lasts indefinitely (”including after the end of a Service Period”)

X.X.  Claim Coordination.  To receive the benefit of the other party’s obligations in this Section “Handling Claims from Others”, a party must:

  1. promptly notify the other party of the Claim, though delayed notice only reduces the other party’s obligations to the extent the delay meaningfully impairs their ability to respond or resolve the Claim;
  2. if the other party is responsible for defending the Claim, allow that party to control the Claim’s investigation, defense, and settlement, but only if the notifying party retains the right to hire its own non-controlling counsel at its own expense, and to approve in advance any settlement that would require it to admit fault or a violation of law;
  3. if the other party is responsible for defending the Claim, provide reasonable assistance, upon request, in connection with the Claim’s investigation, defense, and settlement.
  4. {"name":"coordination rights for the party not controlling the defense","addText":"The party not controlling the defense will have the rights to do a, b and c"}
Optional variations
Modify text below to replace it.
Oops! Something went wrong while submitting the form.
{ "optionalVariations": { "option1" : {"name":"coordination rights", "addText": "<li>The party not controlling the defense will have the rights to do a, b and c", "afterText": "if the other party is responsible for defending the Claim, provide reasonable assistance, upon request, in connection with the Claim’s investigation, defense, and settlement.</li>", "displayedText":"Add coordination rights for the party not controlling the defense. " }}}
Before you copy and paste
  • Should we add coordination rights for the party not controlling the defense?<endsummary>Most B2B SaaS agreements give full control of the defense and settlement to the indemnifying party, to keep things efficient and avoid mixed signals. This clause follows that approach, but the optional language adds two practical guardrails:
    • The party receiving defense can hire its own (non-controlling) lawyer, at its own expense.
    • That party must sign off in advance if a settlement would require it to admit fault or a legal violation.
    These protections are rarely controversial but are often left out to keep things short.Select this addition in the “Optional Variations” panel to add this to the clause.
  • Should we add more coordination steps?<endsummary>Most SaaS agreements (and this clause) use a standard approach to claims: the party with the defense obligation takes control, and the other party helps. That keeps things efficient and clear.But in some cases, especially in regulated industries or sensitive contexts, certain claims could trigger regulatory inquiries, reputational fallout, or public disclosures. If the non-controlling party is more exposed to those risks, it may want additional coordination rights.  These might include:
    • a right to approve public admissions or regulatory communications;
    • a right to participate in selecting the lead counsel; or
    • joint control over specific aspects of the defense.
    These custom protections are not typical in most B2B SaaS deals, but they may be worth considering in certain higher-stakes scenarios.
Why we wrote it this way
  • Why we include a claim coordination section at all<endsummary>Many “indemnification” clauses say who pays, but not what happens when a claim actually arises. That can leave both parties guessing, and potentially arguing, when a claim hits. Without coordination language, they might disagree about:
    • Who gets to choose the lawyer?
    • Who decides the litigation strategy?
    • Who has the final say on settlements?
    By spelling out these steps, the clause gives both sides a clearer roadmap. It explains who controls the defense, what conditions apply to settlements, and what kind of help the other party must provide.This will not prevent every disagreement, but it can reduce surprises and help the parties respond more quickly when a real claim comes in.
  • Why we let one party lead the defense<endsummary>Disagreements over claims often go beyond who pays. They can turn into disputes over how the claim should be handled. If both parties try to steer the defense, they may clash over strategy, timelines, or settlement decisions, especially when their interests do not fully align. This clause gives exclusive control to the party bearing the risk, which helps avoid that friction. The controlling party can respond quickly, make consistent decisions, and focus on resolution. Meanwhile, the other party can still have visibility and safeguards, such as the right to hire its own non-controlling counsel and approve in advance any settlement that would require it to admit fault or a legal violation (see Optional Variations). This structure works well for many types of claims, not just IP, because every claim involves judgment calls. The agreement should make clear who has authority to make those calls.
  • Why we define a clear scope and process instead of relying on strategic vagueness<endsummary>Many “indemnification” clauses are written in vague language. They promise protection, but often use unclear categories of claims and leave out how the parties will coordinate. That vagueness can give the party tasked with defense more room to push back or delay. If the clause is hard to interpret or apply, the party facing the claim may decide not to press for protection or may let it drop when the legal costs of enforcement outweigh the benefit. In practice, vague indemnification provisions often go unused unless the claim is large enough to justify the uncertainty and expense. But the same vagueness that makes it easier for one side to delay or dispute its obligations also makes it harder for the other to enforce them when it matters. If a real claim comes in and the clause is unclear about what is covered, the parties are more likely to argue over interpretation before they can address the substance of the claim. That adds cost, delays the response, and increases the chance of disagreement. The tradeoff is real.  We chose clarity because the “Handling Claims from Others” section covers a narrow set of claims where the parties’ incentives already support cooperation. The claims assigned to each side are ones each party is naturally positioned to lead, either because they have the relevant information or because the claim involves their own service or data. In that context, a clear roadmap makes the clause more usable, easier to negotiate, and more dependable in practice.

Definitions
  • Claim<endsummary>any demand, notice, investigation, action, suit, or proceeding.
Related clauses
  • Notices<endsummary>Make sure your Notices section addresses how to properly notify the other party of the Claim

Limiting each party's liability

X.X.  Capped Liabilities
  1. Special Cap for Data Breach Liabilities.  A party’s cumulative total liability for any claims resulting from its breach of the “Maintaining Confidentiality” Section (solely those obligations pertaining to Customer Content), the “Implementing Security and Privacy Measures” Section, or the DPA (collectively, “Data Breach Liabilities”) {"changeText":"will not exceed One Year of Fees multiplied by 3"}.
  2. General Cap.  Except for a party’s Uncapped Liabilities, Data Breach Liabilities, and liabilities under the “Paying for Services” Section, a party’s cumulative total liability arising out of or related to this Agreement and all Orders will not exceed One Year of Fees.
Optional variations
Modify text below to replace it.
Oops! Something went wrong while submitting the form.
{ "changeVariations": { "change1": { "name": "Special cap not to exceed", "contextText":"One Year of Fees multiplied by {3}", "displayedText":"Special cap not to exceed" }}}
Before you copy and paste
  • Should we stick with the Special Cap’s 3x multiplier? <endsummary>
    Evaluate whether the chosen multiple (e.g. 3x, 5x, or 10x) is appropriate based on the sensitivity of data, the Cloud Services’ risk profile, and the risk tolerance of you and your customers. The current 3x cap for Data Protection Liabilities is based on the Bonterms Cloud Terms (v1), a form drafted by a committee of lawyers representing both providers and customers.
  • Should we add any other Special Caps?<endsummary>
    Consider whether any other specific risks justify additional supercaps, for example, for liabilities tied to violations of specific regulations.
  • Should we make the Special Cap apply only to Provider breaches, not Customer ones?<endsummary>
    In most SaaS agreements, elevated liability for data breaches applies only to the Provider, even if the Customer has its own security obligations that could contribute to the risk. This clause takes a different approach: it applies the Special Cap to each party’s own breach of their responsibilities.  Read below (“Why we made the Special Cap apply to Customer too”) to learn about our rationale for this position. Our approach may feel more balanced, since both parties can introduce security risk. But it may also surprise some Customers who are not expecting elevated liability on their side. If you think this will lead to friction in negotiation, consider limiting the Special Cap to breaches by the Provider only. That still provides meaningful protection for the Customer while reducing pushback.
  • How will we make this clause conspicuous?<endsummary>
    We’ve used boxed formatting here to make the section stand out, but that won’t carry over when you paste it. All-caps can hurt readability, so legal teams are starting to use bold text or visual cues (like shading or borders) to meet conspicuousness requirements. Remember to apply that styling in your document.

Why we wrote it this way
  • Why Data Breach Liabilities get a “Special Cap”<endsummary>We do not treat these liabilities as uncapped because the potential exposure may be too high for either party to reasonably take on. But we also do not treat them as ordinary liabilities under the general cap, which may be too low given the scale and seriousness of a data breach. Instead, we use a Special Cap. It reflects the unique risk profile of data-related obligations, offering predictability for both sides while still holding each party meaningfully accountable for their own breach.
  • Why the Special Cap applies only when a party breaches its defined obligations<endsummary>Data breaches can happen for many reasons, including mistakes, misconfigurations, novel attack methods, or external causes such as third-party failures or social engineering. Not all of these are within either party’s control. To avoid assigning liability for outcomes that neither side could have prevented, this cap applies only when a party fails to meet its defined obligations, such as Provider’s infrastructure security commitments or Customer’s access control duties. This approach keeps the risk focused on avoidable failures and avoids turning the agreement into a catch-all insurance policy for every security incident.
  • Why we made the Special Cap apply to Customer too<endsummary>In this agreement, both Provider and Customer have clearly defined security obligations, not just in the DPA, but also in the “Implementing Security and Privacy Measures” Section. For example, Customer must manage access controls, apply updates, and prevent malware. These are not passive duties.  They materially affect system security. By applying the supercap to each party’s own breach of its obligations, we reflect the shared responsibility model of cloud services. Security depends on both sides doing their part. This isn’t always how agreements are structured.  In many templates, only the Provider is subject to this elevated cap. But that’s usually because Customer-side obligations aren’t spelled out clearly in the agreement. In this agreement, they are, and the cap applies only if a party breaches those defined duties.
  • Why the definition “One Year of Fees” addresses liability for post-service claims<endsummary>Liability caps often use a one-year fee baseline because it aligns the cap with what the Provider actually earned, and offers a predictable limit on risk for both sides.  But claims do not always appear during active service. Some arise after the Cloud Services have ended. To clarify how to calculate the baseline after the Cloud Services have ended, our definition of “One Year of Fees” includes a reference point even after Service Closure. It looks back to the most recent 12-month period when fees were paid, so there is always a consistent and fair way to calculate the cap, regardless of timing.

Definitions
  • Customer Content<endsummary>[Customer Account Information and] any data or content that Users: (1) submit to their Cloud Services accounts, including from External Tools, or (2) generate from use of the Cloud Services, but excluding Customer Usage Data or any Generative AI Outputs.
  • One Year of Fees<endsummary>the total amount paid or payable by Customer to Provider under all Order(s) during the 12 months immediately preceding the first incident giving rise to liability, or, if the first incident giving rise to liability occurs after Service Closure, the total amount paid or payable by Customer to Provider under all Order(s) during the most recent 12-month period in which Customer paid fees to Provider.
  • Service Closure<endsummary>the end of a Service Period (whether by expiration or Early Termination), without a subsequent Order for the same Cloud Services taking effect immediately after.

Related clauses
  • Services Disclaimer<endsummary>The disclaimer limits what Provider is promising about the Cloud Services, while the liability cap limits what happens if something goes wrong. They're often read together when evaluating risk allocation.

X.X.  Uncapped Liabilities

“Uncapped Liabilities” means:

  1. either party’s liabilities under the Sections “Provider’s Obligations to Handle Service Infringement Claims” and “Customer’s Obligations to Handle Claims Arising from Misuse”;
  2. either party’s liabilities from any claim that it infringed or misappropriated the other party’s Intellectual Property Rights;
  3. either party's liabilities from any claim that it breached the Section “Maintaining Confidentiality”, excluding obligations pertaining to Customer Content; and
  4. liabilities that cannot be limited by law.
Optional variations
Modify text below to replace it.
Oops! Something went wrong while submitting the form.
Before you copy and paste
  • How will we make this clause conspicuous?<endsummary>
    We’ve used boxed formatting here to make the section stand out, but that won’t carry over when you paste it. All-caps can hurt readability, so legal teams are starting to use bold text or visual cues (like shading or borders) to meet conspicuousness requirements. Remember to apply that styling in your document.

Why we wrote it this way
  • Why this “Limiting Each Party’s Liability” Section starts with with Uncapped Liabilities<endsummary>Most liability caps are phrased as: “Except for x, y, and z, liability is limited to…” That structure can be cognitively harder to parse and reference. By first listing the Uncapped Liabilities, then showing how the remaining liabilities are handled under special or general caps, we mirror how lawyers and contract reviewers typically think about risk. Organizing the clause this way makes it easier to see which risks are never limited, which are capped at a specific amount, and which are covered by the general cap, giving the reader a clearer mental map of how liability is allocated.
  • Why we made indemnification (and defense) liabilities uncapped.<endsummary>We treat indemnification obligations as uncapped liabilities because capping them often leads to real-world dilemmas. For example, if the Provider is responsible for defending a claim, what happens when the cap is exhausted? Do they stop midway through litigation or refuse to pay a full settlement? That is not a workable outcome. That is why liabilities under both the “Provider’s Obligations to Handle Service Infringement Claims” and “Customer’s Obligations to Handle Claims Arising from Misuse” Sections are uncapped. This reflects how many parties and courts already interpret indemnity obligations: as commitments to fully defend and resolve a claim, not just up to a dollar limit.
  • Why we made breaches of confidentiality uncapped, but not those pertaining to Customer Content.<endsummary>It is common to treat general confidentiality breaches as uncapped liabilities, because misuse of sensitive non-public information (like trade secrets or financials) can cause significant harm and is often difficult to value in advance. But we do not treat breaches involving Customer Content the same way. Most providers cannot take on unlimited liability for breaches involving Customer Content, especially when that content includes sensitive or regulated data.  The potential exposure is too great and too uncertain, even when the data is not regulated. That is why we cover breaches involving Customer Content under the Data Breach Liabilities cap, which offers a realistic but still meaningful layer of protection.
  • Why we use the catch-all: “liabilities that cannot be limited by law”<endsummary>Certain types of liability, like those for gross negligence, willful misconduct, or violations of specific statutes, often can’t legally be capped, depending on the jurisdiction. Some agreements list these categories explicitly, but those lists can become incomplete, inconsistent, or legally redundant. Instead, we use a catch-all phrase: “liabilities that cannot be limited by law.” It’s cleaner, more adaptable across jurisdictions, and ensures the agreement doesn’t conflict with any applicable legal limits, without needing to guess which types of liability a court might treat as non-waivable.

Definitions
  • Customer Content<endsummary>[Customer Account Information and] any data or content that Users: (1) submit to their Cloud Services accounts, including from External Tools, or (2) generate from use of the Cloud Services, but excluding Customer Usage Data or any Generative AI Outputs.
  • Intellectual Property Rights<endsummary>under patent, copyright, trade secret, trademark, and moral rights laws, and other similar rights.

Related clauses
  • Services Disclaimer<endsummary>The disclaimer limits what Provider is promising about the Cloud Services, while the liability cap limits what happens if something goes wrong. They're often read together when evaluating risk allocation.

X.X.  Unrecoverable damages

Damages the Parties Will Not Be Liable For:

  • General Business Impact Damages. Except to the extent they fall within a party’s Uncapped Liabilities or Data Breach Liabilities, neither party will be liable for damages arising from the other party's: (i) lost revenues; (ii) diminished business value, goodwill, or reputation; or (iii) reduced future revenues, business opportunities, competitive advantages, or market share.
  • Customer Damages from Special Circumstances (Consequential Damages). Customer acknowledges that the Cloud Services are standardized and are not tailored to Customer’s special circumstances. Customer waives any right to bring a claim against Provider for damages that are foreseeable only because Customer informed Provider of those circumstances before entering into this Agreement.
  • {"name":"Exclude Damages from Generative AI","addText":"Customer Damages from Generative AI Outputs. Provider will not be liable to Customer for any damages arising from Customer’s use, reliance on, or distribution of Generative AI Outputs, including damages arising from any Claim by an Outside Entity against Customer."}
  • {"name":"Exclude damages from external tools","addText":"Customer Damages from use of external tools. Provider will not be liable to Customer for any damages caused by the actions or inactions of a provider of an External Tool. These damages may include those resulting from the loss or modification of Customer Content, or from impacts to how the Cloud Services operate. If this liability exclusion is not enforceable under applicable law, Provider’s total cumulative liability for such damages will not exceed [$5,000] U.S. dollars."}
  • {"name": "Exclude damages from high risk uses", "addText": "Customer Damages from High Risk Uses and Data Submissions. Provider will not be liable to Customer for any damages arising from: (1) any Claim by an Outside Entity that results from[ Customer’s submission of Protected Health Information to the Cloud Services without a BAA in place, or] Customer’s submission of inaccurate Customer Content to the Cloud Services; or (2) Customer’s use of the Cloud Services for High Risk Activities."}
  • {"name":"Exclude damages from trials","addText":"Customer Damages from Trials or Pre-Release Features. Provider will not be liable to Customer for any damages arising from Customer’s use of Pre-Release Features or use of the Cloud Services during a Trial.&nbsp;However, if this liability exclusion is not enforceable under applicable law, Provider’s total cumulative liability for such damages will not exceed [$1,000] U.S. dollars."}
Optional variations
Modify text below to replace it.
Oops! Something went wrong while submitting the form.
{"optionalVariations":{"option1":{"name":"Exclude Damages from Generative AI","default":"checked","afterText":" those circumstances before entering into this Agreement.</li>","addText":"<li><strong>Customer Damages from Generative AI Outputs.</strong>&nbsp;Provider will not be liable to Customer for any damages arising from Customer’s use, reliance on, or distribution of Generative AI Outputs, including damages arising from any Claim by an Outside Entity against Customer.</li>","displayedText":"Exclude damages arising from Generative AI Outputs"},"option2":{"name":"Exclude damages from external tools","default":"checked","afterText":" those circumstances before entering into this Agreement.</li>","addText":"<li><strong>Customer Damages from use of external tools</strong>&nbsp;Provider will not be liable to Customer for any damages caused by the actions or inactions of a provider of an External Tool. These damages may include those resulting from the loss or modification of Customer Content, or from impacts to how the Cloud Services operate. If this liability exclusion is not enforceable under applicable law, Provider’s total cumulative liability for such damages will not exceed [$5,000] U.S. dollars.</li>","displayedText":"Exclude damages from External Tools"},"option3":{"name":"Exclude damages from high risk uses","default":"checked","afterText":" those circumstances before entering into this Agreement.</li>","addText":"<li><strong>Customer Damages from High Risk Uses and Data Submissions.</strong>&nbsp;Provider will not be liable to Customer for any damages arising from: (1) any Claim by an Outside Entity that results from[ Customer’s submission of Protected Health Information to the Cloud Services without a BAA in place, or] Customer’s submission of inaccurate Customer Content to the Cloud Services; or (2) Customer’s use of the Cloud Services for High Risk Activities.</li>","displayedText":"Exclude damages from High-Risk Uses or Data Submissions"},"option4":{"name":"Exclude damages from trials","default":"checked","afterText":" those circumstances before entering into this Agreement.</li>","addText":"<li><strong>Customer Damages from Trials or Pre-Release Features.</strong>&nbsp;Provider will not be liable to Customer for any damages arising from Customer’s use of Pre-Release Features or use of the Cloud Services during a Trial.&nbsp;However, if this liability exclusion is not enforceable under applicable law, Provider’s total cumulative liability for such damages will not exceed [$1,000] U.S. dollars.</li>","displayedText":"Exclude damages from Trials or Pre-Release Features"}}}
Before you copy and paste
  • Is excluding lost revenues reasonable given how our customers use the Cloud Services?<endsummary>In B2C businesses, the Cloud Services may play a direct role in generating revenue — for example, powering checkout flows, ticket sales, or customer transactions. If the service goes down, the customer may miss real-time sales — and see that lost revenue as the most immediate harm. That’s one reason some B2C customers may question the “lost revenues” exclusion, especially in industries where real-time outages have caused major losses. That risk became very real in 2024, when Delta Air Lines sued cybersecurity firm CrowdStrike after a software update issue led to grounded flights and disrupted operations. In contrast, B2B customers are less likely to rely on Cloud Services for real-time revenue capture. Instead, the service may support internal workflows, collaboration, or back-office processes. If there’s an issue with the services, the disruption might slow projects or affect client relationships — but the impact is more diffuse, and direct revenue loss is less likely to occur immediately. That makes the exclusion of lost revenues feel more commercially reasonable in many B2B settings. Many customers still accept lost revenue exclusions as standard, but if you’re negotiating with customers who depend on the Cloud Services for revenue-facing operations, it’s worth considering how this will land.  And if you do remove it, remember that your monetary cap becomes the key safeguard against runaway exposure.
  • Should we exclude damages from Trials or Pre-Release Features?<endsummary>If you offer Customers free access to the full service for a limited time (as a Trial), or early access to experimental or evolving features (as Pre-Release Features), this exclusion helps clarify that Customers use those features at their own risk. Customers are typically not paying for these uses, or understand that the features may not be complete or stable. If you already have a separate section or agreement that covers Trials or Pre-Release Features, adding the exclusion here may be duplicative, or even inconsistent. Include the exclusion here if you want to consolidate all liability terms in one place.
  • Should we exclude damages from External Tools?<endsummary>
    • What problem does this carveout address? Cloud Services often depend on integrations, but when an External Tool malfunctions, it can cause ripple effects that impact how the Cloud Services behave. This carveout draws a clear line: the Provider will not be liable for damages caused by External Tools, even if those damages show up inside the Cloud Services.
    • Does this match how you present the Cloud Services? Customers may view certain External Tools as part of the Cloud Services, especially if the integration is built-in, recommended, or prominently featured. Before including this carveout, check your marketing, onboarding, and customer success materials. If they suggest that you take responsibility for integrated tools, this exclusion may feel unfair. Consider how much choice or visibility Customers have in using the tool.
    • Does this conflict with your performance warranty? If your agreement includes a warranty or commitment regarding the performance of the Cloud Services, make sure this carveout does not conflict with it. This exclusion makes clear that the Provider is not responsible for performance issues caused by External Tools, so your warranty and supporting documentation should not suggest otherwise. Align your documentation and commitments to avoid mixed signals about what the Provider stands behind.
  • Should we exclude damages from high-risk uses or data submissions?<endsummary> This exclusion might be appropriate if you are concerned that Customers could: (1) use the Cloud Services for high-risk activities, (2) submit Protected Health Information without a Business Associate Agreement, or (3) submit inaccurate Customer Content that triggers third-party claims. If only some of these risks apply to your Cloud Services, consider narrowing the exclusion to match the relevant scenarios.
  • Should we exclude damages arising from Generative AI Outputs?<endsummary>This clause limits your liability to customers for damages caused by how Customers use, rely on, or distribute Generative AI Outputs.
    • Why it could be valuable to you as a provider: A disclaimer helps clarify that provider makes no guarantees about the outputs, but it may not block claims for harm caused by flawed or risky outputs. This carveout draws a clearer line, placing responsibility for downstream harm on the Customer, who controls how outputs are used. This can be important if outputs are used in sensitive contexts or unpredictable ways.
    • Why it might be contentious: This clause doesn’t contain a lot nuance, which means the exclusion might apply even if the output issues stem from the provider’s own negligence.  Some customers will argue that it unfairly shifts all risk.
    • When it’s worth including — and whether to tailor it: If Generative AI is a core feature and you have little control over how Outputs are used, this carveout could offer important risk protection. To reduce pushback, you could Providers consider tailoring the scope — for example, excluding only certain categories of claims, or clarifying that the carveout does not apply in cases of gross negligence. But in practice, clean lines are hard to draw. Most agreements either include a broad carveout or leave it out entirely.
  • How will we make this clause conspicuous?<endsummary>We’ve used boxed formatting here to make the section stand out, but that won’t carry over when you copy it. All-caps can hurt readability, so legal teams are starting to use bold text or visual styling (like a box) to meet conspicuousness requirements. Before you paste this clause into your contract, consider either toggling on bold formatting above or applying your own styling in your document.

Why we wrote it this way
  • Why we focus on the phrase “special circumstances” as the basis for “consequential damages”<endsummary>This clause uses the term “consequential damages”, but it doesn’t rely on that label alone. Instead, it addresses the legal principle that is often used to explain when consequential damages are recoverable — a test that comes from Hadley v. Baxendale, a foundational contract case still followed by courts today. Under it, a party is only liable for losses caused by special circumstances if, at the time of contracting, those circumstances were disclosed — and the resulting losses were reasonably foreseeable.Although Hadley didn’t use the phrase “consequential damages,” that term later became a shorthand for this second category of recoverable losses. But over time, lawyers and courts have used it to mean very different things — sometimes referring to indirect or ripple effect losses, and other times to damages that are remote or unforeseeable. That kind of ambiguity leads to confusion and mismatched expectations.  Many other legal scholars and commentators have questioned the consequential damages waiver in various contexts, such as here, here, and here.That’s why this clause expresses the concept directly — and then excludes those damages, even when the legal test would otherwise allow them.Why “consequential damages” is especially confusing in cloud agreementsThe phrase “consequential damages” appears in many contracts by default, often without a shared understanding of what it actually covers. Courts interpret it inconsistently, and even experienced lawyers can’t always agree on what’s in or out. That makes it harder to know what’s really being excluded — and whether the parties actually intended that result.This is especially problematic in cloud services agreements, where data breach fallout can be a major risk. Many of the most costly consequences of a breach — such as:
    • Regulatory fines
    • Notification costs
    • Forensic investigation costs
    — are often treated as consequential damages. Yet when those costs result from a failure to meet contractual obligations, neither party typically intends to exclude them. The label creates more confusion than clarity.Why this clause takes a clearer approachRather than relying on the term “consequential damages” to carry the weight, this clause spells out what’s excluded: damages arising from special circumstances — including risks tied to a Customer’s unique operational setup, their high-value contracts with others, or their specialized regulatory obligations. These are the kinds of losses that might be foreseeable if disclosed, but the clause makes clear that the Cloud Services are a standardized offering — and that disclosure alone doesn’t make those losses recoverable.
  • Why we don’t use the phrase “special damages”<endsummary>Most drafters use the term “special damages” as a synonym for consequential damages — but this clause already addresses that concept directly. Including both terms is a common boilerplate habit, but it creates unnecessary ambiguity: if a contract waives both “special” and “consequential” damages, courts may assume they mean different things and try to distinguish them. That’s where confusion creeps in. Some courts interpret “special damages” using tort-based definitions — like specific, measurable losses — which have nothing to do with contract foreseeability. To avoid that kind of interpretive guesswork, this clause leaves the term out entirely and focuses on the well-established principle of special circumstances and foreseeability instead.
  • Why we don’t use the phrase “indirect damages”<endsummary>“Indirect damages” is a vague and inconsistently applied term. Some contracts use it as a synonym for consequential damages, while others treat it as a broader catch-all for ripple-effect losses — but few define it clearly. Courts often struggle to distinguish it from other damages categories, and the result is legal uncertainty about what’s actually being excluded. In practice, most parties who want to exclude “indirect damages” are really trying to avoid responsibility for business impact losses — like diminished goodwill, lost market share, or reduced future revenues. These are ripple-effect harms that aren’t tied to a specific failure, but instead reflect broader commercial fallout. Rather than rely on the unclear label “indirect damages,” this clause identifies those risks directly — and excludes them. That gives both parties a clearer understanding of what’s in and what’s out, without relying on an imprecise term.
  • Why we don’t use the phrase “incidental damages”<endsummary>While “incidental damages” is defined under the Uniform Commercial Code for goods, the term has no clear or consistent meaning in SaaS or service contracts. Courts have treated it differently, sometimes as a subset of consequential damages, sometimes as a separate category covering mitigation or workaround costs, like engaging a temporary vendor or restoring lost data. That vagueness creates risk. In a data breach, for example, a customer’s reasonable costs to respond—like hiring a breach response team or complying with legal notice obligations—might be labeled “incidental.” A blanket exclusion could be read to bar those entirely, even though both parties would likely expect them to be recoverable. Some providers exclude incidental damages as another method of reducing liability. But in our view, a well-scoped monetary cap already serves that purpose. Including the term risks cutting off recovery for reasonable, foreseeable costs the contract should cover—so we’ve chosen not to use it.
  • Why we don’t use the phrase “exemplary damages”<endsummary>Exemplary damages (also called punitive damages) are intended to penalize especially wrongful conduct — like fraud, bad faith, or intentional harm. Many contracts exclude exemplary damages by reflex — as part of a boilerplate list of damages categories. But including that kind of exclusion may suggest the agreement is trying to shield both parties from liability, even if they commit serious misconduct. That’s not the intent here, so we leave exemplary damages out.
  • Why we don’t use the phrase “punitive damages”<endsummary>This clause doesn’t use the phrase “punitive damages” (or its synonym, “exemplary damages”). These types of damages are meant to punish especially wrongful conduct — like fraud, bad faith, or intentional harm — and are rarely awarded in commercial contract disputes. Many contracts exclude them reflexively, as part of a boilerplate list of damages categories. But doing so may suggest that the agreement is trying to shield the parties from liability even for serious misconduct. That’s not the intent here, so this clause leaves both terms out.
  • Why we use “lost revenues” instead of “lost profits”<endsummary>This clause excludes lost revenues rather than just lost profits to draw a clearer, more defensible boundary around income-based claims. Using the phrase “lost profits” can lead to disputes, not just about how much was lost, but about what counts as profit in the first place. Determining which profits were loss depends on  assumptions about which costs would have applied, what margins would have been, and how to account for hypothetical outcomes. That complexity can make the exclusion harder to enforce. Excluding lost revenues helps avoid those definitional debates. It focuses the exclusion on the total income the customer expected to earn — without having to argue over what portion of that income would have been retained as profit. And because profits are just a portion of revenue, this exclusion still covers them by default. While revenue loss claims can still raise factual questions about the amount, this approach gives both sides a cleaner starting point for what’s in or out of scope.

Definitions
  • Uncapped Liabilities<endsummary>
    1. Provider’s liabilities under the “Provider’s Obligations to Handle Service Infringement Claims” Section[ and the “Customer’s Obligations to Handle Claims Arising from Misuse” Section”];
    2. either party’s liabilities from any claim that it infringed or misappropriated the other party’s Intellectual Property Rights;
    3. either party's liabilities from any claim that it breached the “Maintaining Confidentiality” Section, excluding obligations pertaining to Customer Content; and
    4. liabilities that cannot be limited by law
  • Data Breach Liabilities<endsummary>a party’s cumulative total liability for any claims resulting from its breach of the “Maintaining Confidentiality” Section (solely those obligations pertaining to Customer Content), the “Implementing Security and Privacy Measures” Section, or the DPA
Related clauses
Close Modal