Limitation of Liability Clauses: How to Spot, Negotiate, and Draft Them Right

A single missing carve-out in a limitation of liability clause cost one SaaS vendor’s customer $4.2 million in unrecoverable losses after a data breach. The vendor’s liability was capped at 12 months of fees — $36,000 total. The customer had no recourse for the remaining $4.16 million because their lawyer never negotiated a data breach carve-out.

Limitation of liability (LOL) clauses determine the maximum financial exposure under any contract. According to World Commerce & Contracting, poor contracting practices erode an average of 9% of annual revenue, with losses exceeding 15% in complex industries. LOL clauses sit at the center of that loss — they define what you can and cannot recover when things go wrong.

This guide breaks down every component of limitation of liability clauses, covers negotiation strategy by contract type, and gives you sample language you can use in your next deal. If you need an AI second opinion on the LOL clause in a contract sitting on your desk right now, try Clause Labs free — it flags cap mismatches, missing carve-outs, and one-sided exclusions in under 60 seconds.

What Is a Limitation of Liability Clause?

A limitation of liability clause is a contractual provision that caps how much one party can recover from the other for breach. Without one, liability exposure is theoretically unlimited — governed only by whatever a court might award.

Every LOL clause has two distinct components:

The liability cap sets a maximum dollar amount on direct damages. Common formulations include a fixed dollar figure (“liability shall not exceed $500,000”), a formula tied to fees (“liability shall not exceed fees paid in the prior 12 months”), or a per-incident or aggregate structure.

The consequential damages exclusion disclaims liability for indirect losses — lost profits, lost revenue, lost data, business interruption. This component often matters more than the cap itself because consequential damages frequently dwarf direct damages in commercial disputes.

If you review only one clause in any contract, make it this one.

The Two Types of Liability Limitations

Liability Caps on Direct Damages

Liability caps come in several structures, each with different risk profiles:

Cap Structure	Example Language	Risk Level for Claimant
Fixed dollar amount	“shall not exceed $500,000”	Moderate — predictable but may be too low
Formula-based (12-month fees)	“shall not exceed fees paid in prior 12 months”	Variable — depends on deal size
Formula-based (total fees)	“shall not exceed total fees paid under this agreement”	Better — scales with relationship
Per-incident	“shall not exceed $100,000 per claim”	High — limits recovery on each event separately
Aggregate	“shall not exceed $500,000 in the aggregate”	Highest — total pool depletes across all claims
Annual reset	“shall not exceed $200,000 per contract year”	Moderate — replenishes annually

What’s market-standard depends entirely on contract type and deal size. For SaaS agreements, 12 months of fees paid is the most common cap structure. For professional services, the cap typically ranges from 1x to 3x fees paid under the applicable statement of work.

The critical question for your client: does the cap reflect the actual exposure if the other party breaches? A $36,000 cap on a contract governing data for 100,000 customers is a red flag no matter how “market-standard” the formula looks.

Consequential Damages Exclusions

Consequential damages — also called indirect, special, or incidental damages — include lost profits, lost revenue, lost data, lost business opportunities, and business interruption. The distinction between direct and consequential damages is notoriously unclear, and courts across jurisdictions define the boundary differently.

Most commercial contracts exclude consequential damages mutually, meaning neither party can recover indirect losses from the other. This creates a predictable risk allocation — but it also means that if a vendor’s software failure destroys your client’s revenue for a quarter, your client may only recover the subscription fees, not the lost revenue.

When to accept a mutual consequential damages exclusion:
– Both parties face roughly equal risk of indirect losses
– The direct damages cap is adequate to cover realistic exposure
– Specific high-risk scenarios (data breach, IP infringement) are carved out

When to push back:
– The exclusion is one-sided (only protects the other party)
– There are no carve-outs for high-impact scenarios
– Your client’s primary risk is exactly the type of loss being excluded

The 8 LOL Negotiation Points That Actually Matter

1. Cap Amount

The most obvious negotiation point, but lawyers often accept “12 months of fees” without analyzing whether it’s adequate.

What to evaluate: Compare the cap to realistic damages scenarios. If your client’s potential loss from a breach is $2 million and the cap is $50,000, the clause is functionally an exculpation — the breaching party faces no meaningful financial consequence.

What to push for: Higher multiples for higher-risk contracts. For a SaaS agreement governing critical business data, push for 24 months of fees or a fixed dollar minimum (e.g., “the greater of $500,000 or 12 months of fees”).

2. Cap Structure — Per-Incident vs. Aggregate

An aggregate cap depletes over time. If your client suffers three separate breaches and the aggregate cap is $500,000, the third claim may find the cap already exhausted.

What to push for: Per-incident caps for ongoing relationships, or aggregate caps that reset annually.

3. Carve-Outs and Super-Caps

Carve-outs exclude certain obligations from the general liability cap. Standard carve-outs include:

• IP indemnification — almost always carved out
• Confidentiality breach — increasingly carved out, especially post-GDPR/CCPA
• Data breach — the most heavily negotiated carve-out in 2026
• Willful misconduct and fraud — typically carved out by law regardless
• Indemnification obligations — often subject to a separate, higher “super-cap”

A super-cap sets a higher ceiling for carved-out obligations. For example: general liability capped at 12 months of fees, but IP indemnification and data breach obligations capped at 24 months of fees.

4. Mutual vs. One-Sided

A one-sided LOL clause only protects one party. If you’re reviewing a vendor contract where the vendor’s liability is capped but your client’s isn’t, that’s a fundamental imbalance.

What to push for: Mutuality. If the vendor insists on capping their liability at 12 months of fees, your client’s liability should be capped at the same amount. The rare exception: if one party’s risk profile is genuinely asymmetric (e.g., a data processor handling millions of records for a small fee).

5. Consequential Damages Scope

The words matter here. “Indirect, special, incidental, and consequential damages” is broader than just “consequential damages.” Some clauses add “lost profits” to the exclusion explicitly — which may otherwise be classified as direct damages in certain jurisdictions.

What to watch for: Broad exclusions that use “including but not limited to” followed by a list that captures both indirect AND potentially direct damages.

6. Gross Negligence and Willful Misconduct

Should the cap apply when a party’s breach results from gross negligence or willful misconduct? In most jurisdictions, courts will refuse to enforce caps that protect a party from its own intentional wrongdoing. But contractual language matters.

What to push for: Explicit carve-out: “The limitations in this Section shall not apply to damages arising from a party’s gross negligence, willful misconduct, or fraud.”

7. Data Breach Liability

Data breach carve-outs are the single most negotiated LOL term in 2026. With all 50 states now requiring breach notification and notification timelines ranging from 30 to 60 days, the costs of a data breach extend far beyond the contract value.

What to push for: At minimum, a super-cap for data breach obligations (2x-3x the general cap). Ideally, full carve-out from the cap for breaches involving personal data.

8. Insurance Alignment

The LOL cap should align with the insurance requirements in the contract. If you require the other party to carry $5 million in professional liability insurance, but their liability is capped at $50,000, the insurance requirement is meaningless — they’ll never face a claim that exceeds the cap.

What to push for: LOL cap at or near the required insurance limits, or at minimum, ensure insurance covers the carved-out obligations.

Limitation of Liability Red Flags

These provisions should trigger immediate review and pushback:

• No LOL clause at all — unlimited exposure for both parties
• Trivially small cap relative to potential damages (e.g., $10,000 cap on a contract governing $5 million in services)
• One-sided cap that only protects the vendor
• Broad consequential damages exclusion with no carve-outs — especially for data breach, IP infringement, and confidentiality
• Cap includes indemnification — this may effectively nullify the indemnification clause entirely
• Aggregate cap that doesn’t reset in multi-year contracts — the cap depletes over time
• Exclusion of “all indirect damages” — broader than just consequential
• No carve-out for willful misconduct or fraud — may be unenforceable anyway, but the ambiguity creates litigation risk

For a structured approach to catching these red flags across entire contracts, see our contract red flags checklist.

LOL by Contract Type: What’s Market-Standard

SaaS and Software Agreements

• Standard cap: 12 months of fees paid
• Standard carve-outs: IP indemnification, confidentiality breach, data breach
• Consequential damages: Typically excluded mutually
• Negotiation range: 12-24 months of fees; push for super-cap on data breach at 2x-3x
• Key issue: Ensure data breach liability isn’t swallowed by a general cap that’s pegged to a relatively small subscription fee

For a deeper analysis of SaaS-specific risks, see our guide on how to review SaaS agreements.

Professional Services and MSAs

• Standard cap: Total fees paid under the SOW, or 12 months of fees
• Standard carve-outs: Gross negligence, willful misconduct, IP infringement
• Negotiation range: 1x-3x fees for the general cap
• Key issue: Order of precedence — does the MSA cap apply to individual SOWs, or is there one aggregate cap across all SOWs?

Employment Agreements

• LOL is uncommon in employment agreements
• When it appears, it’s typically in arbitration provisions limiting remedies
• Key issue: Statutory rights (FLSA, Title VII, state wage laws) cannot be contractually limited. Courts will void LOL provisions that attempt to cap statutory damages.
• Reference: ABA Model Rules require attorneys to ensure clients understand what rights they’re waiving

Vendor and Supplier Agreements

• Standard cap: Purchase price or 12 months of purchases
• Product liability: Usually carved out (and often non-waivable under UCC Section 2-719 for personal injury in consumer goods)
• Warranty claims: May be subject to a separate cap
• Negotiation range: 1x-2x annual purchase volume

Commercial Leases

• Landlord liability limitations are common and often aggressively one-sided
• Tenant liability limitations are rare — landlords resist them
• Property damage and personal injury: Usually carved out
• Key issue: “Exculpatory clauses” in leases face heightened scrutiny in residential contexts and may be void by statute in some jurisdictions

How LOL Interacts With Other Clauses

Limitation of liability doesn’t exist in isolation. It interacts with — and sometimes contradicts — other risk allocation provisions.

LOL + Indemnification: The most contentious interaction. If indemnification obligations fall within the general liability cap, a party’s entire indemnification protection may be worth less than the legal fees to enforce it. Push for indemnification to sit outside or above the general cap. For a complete analysis, read our indemnification clause guide.

LOL + Insurance: The cap should align with insurance requirements. If the contract requires $2 million in errors and omissions coverage but caps liability at $50,000, there’s a fundamental mismatch.

LOL + Warranties: If warranty breach counts against the general cap, a significant warranty claim could exhaust the cap and leave nothing for other claims.

LOL + Data breach provisions: Is data breach inside or outside the cap? Given that 29% of most AI-related breaches stem from third-party SaaS platforms, this question has real financial consequences.

Best practice: Review the LOL clause, indemnification, insurance requirements, and warranties together as a system. A change to one affects all the others.

Sample LOL Clause Language

Standard Mutual Limitation (SaaS)

LIMITATION OF LIABILITY. EXCEPT FOR (I) OBLIGATIONS UNDER SECTION [INDEMNIFICATION],
(II) BREACH OF SECTION [CONFIDENTIALITY], (III) LIABILITY ARISING FROM A PARTY'S
GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, OR (IV) A PARTY'S DATA BREACH OBLIGATIONS
UNDER SECTION [DATA PROTECTION]:

(A) IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY INDIRECT, SPECIAL,
INCIDENTAL, OR CONSEQUENTIAL DAMAGES, REGARDLESS OF THE FORM OF ACTION; AND

(B) EACH PARTY'S TOTAL AGGREGATE LIABILITY UNDER THIS AGREEMENT SHALL NOT EXCEED
THE AMOUNTS PAID OR PAYABLE BY CUSTOMER IN THE TWELVE (12) MONTHS IMMEDIATELY
PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

FOR CLAIMS ARISING UNDER SECTIONS [INDEMNIFICATION], [CONFIDENTIALITY], OR
[DATA PROTECTION], EACH PARTY'S LIABILITY SHALL NOT EXCEED TWO TIMES (2X) THE
AMOUNTS PAID OR PAYABLE IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM.

This structure provides a general cap with a super-cap for high-risk obligations. Note that it’s mutual, includes standard carve-outs, and creates a two-tier system.

Aggressive Vendor-Favorable Limitation (For Comparison)

IN NO EVENT SHALL VENDOR BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL,
CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING LOST PROFITS, LOST DATA,
OR BUSINESS INTERRUPTION. VENDOR'S TOTAL LIABILITY SHALL NOT EXCEED THE FEES PAID
BY CUSTOMER IN THE THREE (3) MONTHS PRECEDING THE CLAIM.

Red flags: one-sided (only limits vendor liability), extremely low cap (3 months vs. 12), no carve-outs, includes “lost data” in the exclusion (dangerous for data-dependent services).

When LOL Clauses Are Unenforceable

Courts may refuse to enforce LOL clauses in several circumstances:

• Unconscionability — gross disparity in bargaining power combined with unreasonably harsh terms. Under UCC Section 2-719(2), limitation of consequential damages for personal injury from consumer goods is prima facie unconscionable.
• Personal injury or death — most jurisdictions prohibit contractual limitations on bodily injury liability
• Fraud or intentional misconduct — a party generally cannot limit liability for its own fraud
• Violation of statutory rights — employment discrimination damages, consumer protection claims, and other statutory remedies typically cannot be capped by contract
• Failure of essential purpose — when a limited remedy “fails of its essential purpose” under UCC 2-719(2), the broader limitation may fall with it. As the Masuda Funai analysis explains, courts split on whether a failed exclusive remedy also voids the consequential damages exclusion.

Jurisdiction note: Enforceability standards vary significantly by state. Negotiate as if the clause will be enforced — but understand that a court in your jurisdiction might reach a different conclusion. As the Lexology analysis of U.S. contractual liability limitations notes, commercial contracts between sophisticated parties face a lower unconscionability hurdle than consumer agreements.

This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for advice specific to your situation.

How AI Analyzes Limitation of Liability

AI contract review tools can evaluate LOL clauses against market standards in seconds. When you upload a contract to Clause Labs, the AI identifies the cap amount, cap structure, carve-outs, consequential damages exclusions, and checks for interactions with indemnification and insurance requirements. It flags missing LOL clauses, one-sided limitations, caps that appear too low for the deal size, and missing carve-outs for data breach and IP obligations.

The free tier includes 3 contract reviews per month — enough to test the analysis on a real contract before committing to the Solo plan at $49/month for 25 reviews.

Frequently Asked Questions

What’s a reasonable limitation of liability cap?

It depends on the contract type and deal size. For SaaS agreements, 12 months of fees paid is standard, with 24 months becoming more common for enterprise deals. For professional services, 1x-3x total fees is typical. The key question: does the cap bear a reasonable relationship to the potential damages if the other party breaches?

Should limitation of liability be mutual?

Generally, yes. If one party’s liability is capped, the other party’s should be too. A one-sided cap suggests the drafting party is trying to shift disproportionate risk. The exception: genuinely asymmetric risk profiles, such as when a data processor handles massive volumes of personal data for a small processing fee.

What’s the difference between limitation of liability and indemnification?

Limitation of liability caps total exposure. Indemnification creates an obligation to compensate for specific losses (typically third-party claims). They interact in critical ways — read our indemnification clause guide for the full analysis. The most important question is whether indemnification obligations fall inside or outside the liability cap.

Should data breach be carved out of the liability cap?

In 2026, the answer is almost always yes. Data breach costs regularly exceed contract values by orders of magnitude. At minimum, negotiate a super-cap (2x-3x the general cap) for data breach obligations. For contracts involving significant personal data, push for a full carve-out.

Can you have no limitation of liability?

Yes — if neither party includes an LOL clause, liability is unlimited (subject to whatever a court would award). This is more common in simple agreements, but it’s risky for both parties. Even if you’re the party with more bargaining power, unlimited liability creates unpredictable exposure.

What happens if the cap is reached — can I still make claims?

Once the cap is exhausted, the capped party has no further financial exposure for claims subject to the cap. However, obligations carved out from the cap (IP indemnification, data breach, willful misconduct) remain enforceable up to their respective limits. This is why carve-outs and annual cap resets matter.

---

This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for advice specific to your situation.