Indemnification Clauses: What's Standard in 2026
What is a standard indemnification clause?
In many commercial and SaaS contracts, a standard indemnity covers third-party claims rather than direct losses between the parties, includes a duty to defend, follows a defined claim procedure, and sits outside or above the general liability cap. The near-universal vendor indemnity is third-party IP infringement, usually paired with a data or security-breach indemnity. There is no single legal "correct" set of terms, but this is the convention most counterparties recognize as fair.
An indemnity does two jobs that are easy to conflate. It shifts financial responsibility for a defined set of claims from one party to the other (the duty to indemnify), and it can also oblige one party to run and fund the other's legal defense from the moment a claim is filed (the duty to defend). Those are separate obligations triggered at different times, and a clause that mentions one does not automatically include the other.
This guide continues our "what is standard?" clause series, alongside our limitation of liability guide. It is written for in-house legal teams and the business users they enable: the sales, procurement, and partnerships colleagues who hit these clauses daily and need to know when an indemnity is normal, when to push, and when to escalate.
What's actually in an indemnification clause
A well-drafted indemnity has several moving parts, and they should be read as separate levers rather than one block of text.
1. The covered claims (the trigger). The list of third-party claims the indemnitor takes responsibility for. In a pure SaaS deal the standard vendor bundle is third-party IP infringement plus a data or security-breach indemnity. In broader commercial contracts the classic triggers add bodily injury or death, property damage, breach of contract, negligence, and violation of law.
2. The duty to defend (the early obligation). A duty to fund and manage the legal defense as soon as a claim is filed, regardless of whether liability is ever established. Courts are split on whether an indemnity silent on defense includes it: some imply a right to recover the cost of defending a third-party claim, while others require explicit language, and the rule for shifting attorneys'-fee costs varies by jurisdiction. Because of that uncertainty, practitioners state the defense obligation, and whether defense costs are included, expressly.
3. The duty to indemnify (the financial backstop). Reimbursement of damages and costs once liability is established by judgment, award, or settlement. This is the narrower, later-triggered obligation.
4. The claim procedure and remedy. Prompt written notice, a duty to cooperate, control of the defense, settlement-consent rights, and, for IP claims, the standard repair, replace, or refund remedy ladder.
"Defend, indemnify, and hold harmless" is shorthand for three obligations, not one magic phrase. A party with only a duty to defend may have to fund the defense of claims that turn out not to be indemnifiable at all, recovering nothing. Defending a third party's claim is also frequently not covered by the indemnitor's own liability insurance, so it can be out-of-pocket, uninsurable exposure. Where it matters, practitioners tie the defense obligation to insurance coverage and state expressly whether defense costs are included.
The standard exclusions to the IP indemnity are well established and worth confirming are present: the customer's unauthorized modifications, use of the service in combination with non-vendor hardware or software, use contrary to documentation or instructions, and continued use after notice of infringement. The drafting risk runs in both directions. Triggers that are too narrow leave you under-protected on a data breach. Triggers that are too broad, such as "any and all claims," can recreate effectively unlimited and unintended exposure.
Is it reasonable?
Use the table below to triage an indemnity quickly. The "Standard" column is the position most counterparties accept without much friction. "Aggressive" is where you should push back. "Red flag" is where you escalate or walk.
| Element | Standard | Aggressive (push back) | Red flag (walk away) |
|---|---|---|---|
| Covered claims | Vendor indemnifies for third-party IP infringement and data or security breach caused by the vendor | Vendor offers IP only, no data or security indemnity on a data-rich deal | "Any and all claims," with no link to the vendor's own acts or the service itself |
| Mutuality | IP one-sided vendor to customer; confidentiality and data indemnities mutual; narrow customer-data indemnity | One-sided indemnity protecting only the vendor, with no reciprocity | You indemnify the other party for their own negligence, gross negligence, or misconduct |
| Duty to defend | Defense obligation stated expressly, with control and consent rights defined | Indemnity silent on defense, so defense costs are unclear | Duty to defend "any claim" with no insurance behind it and no notice condition |
| Relationship to cap | IP indemnity outside the cap (or uncapped); data or security under a super-cap or carved out | Indemnities folded back inside the general liability cap | Indemnity uncapped and one-sided, leaving unlimited exposure on you with no carve-back |
| Damages covered | Direct losses, third-party damages, and reasonable defense costs; consequential damages excluded | Indemnity that quietly sweeps in indirect or consequential damages | Indemnity for indirect, consequential, and punitive damages with no exclusion at all |
| Procedure | Prompt notice, cooperation, repair/replace/refund remedy for IP, settlement-consent rights | No customer consent over settlements that admit fault or restrict use | No notice or cooperation conditions, so the indemnitor loses control of its own defense |
The point of the table is proportionality. A small deal can still generate a catastrophic third-party claim, which is why an IP or data indemnity capped at deal value can turn the innocent customer into an unintended insurer. That mismatch is exactly why the inside-versus-outside-cap question matters more than haggling over the general cap number itself.
Treat any of these as a trigger to push back hard or escalate: a one-sided indemnity that protects only the counterparty (the single most-cited red flag); overbroad "any and all claims" triggers with no link to the indemnitor's own acts; being asked to indemnify the other party for their own negligence, gross negligence, or willful misconduct; an indemnity capped at deal value with no carve-out from the general cap, leaving disproportionate third-party exposure; an indemnity that sweeps in indirect or consequential damages; a duty to defend with no notice condition, no cooperation duty, and no insurance behind it; or silence on whether the indemnity sits inside or outside the liability cap. Most of these are individually fixable. Several of them together usually mean the indemnity was drafted to shift all the risk one way.
How to negotiate it
The cleanest way to negotiate an indemnity is to decide your three positions before you open the document, then trade down a defined ladder rather than improvising. This is the playbook concept: a documented ask, fallback, and walk-away for the clause, so anyone on the team negotiates it the same way.
A typical ladder for a buyer on a data-rich deal looks like this. Ask: an uncapped vendor IP indemnity, a mutual data and confidentiality indemnity carved out of (or super-capped above) the general cap, a clear duty to defend, and customer consent over settlements that admit fault or restrict use. Fallback: accept a super-cap (typically negotiated in the 2x to 5x annual-fees range, with buyers pushing toward the higher end for data and security) instead of fully uncapped for data and security, keep the IP indemnity uncapped, and secure participation rights in the defense at your own expense. Walk-away: a one-sided indemnity capped at deal value, no data or security coverage, no duty to defend, and you indemnifying them for their own misconduct.
Three tactics consistently help. First, negotiate the indemnity alongside the liability cap, not separately, because the inside-versus-outside-cap relationship is where the real money sits and silence is the most-litigated ambiguity. Second, match your downstream customer commitments to your upstream supplier and model-provider protections, so you never indemnify more broadly than you are yourself covered. Third, treat reciprocity as the fairness norm: if you demand an uncapped indemnity from the counterparty, expect your own indemnity to them to be uncapped or reciprocal, so reserve that ask for the risks you genuinely control.
What the other side will argue
Most indemnity negotiations recycle the same handful of counterparty arguments. Having a calm, standard response ready keeps the conversation on the substance.
| They say | You say |
|---|---|
| "Our indemnity is one-sided because we carry the delivery risk." | "For IP infringement, agreed, that is your code and your risk. For data and confidentiality we both hold each other's data, so those indemnities should be mutual." |
| "We need to control the defense because we are the ones paying." | "Reasonable, so long as we keep consent over any settlement that admits fault, restricts our use, or imposes non-monetary obligations, plus participation rights." |
| "All indemnities are capped at the general liability cap, no exceptions." | "A small deal can still trigger a catastrophic third-party claim. The IP indemnity needs to sit outside the cap, and data and security under a super-cap, not the base number." |
| "We will indemnify and defend, that covers everything you need." | "Defend and indemnify are two obligations triggered at different times. We need the clause to state expressly that defense costs are included and from when." |
| "We cannot agree to an uncapped data indemnity." | "Then let's set a fixed-dollar or super-capped data indemnity instead of unlimited, and tie it to the cyber insurance you already carry." |
The framing that unlocks most of these is WorldCC's own finding: only about one in six negotiators believes the team is focusing on the right things, because practitioners over-index on legal-risk clauses such as liability and indemnity while rating scope, delivery, and service levels as more important to the outcome. Spending an extra week on indemnity boilerplate while the operational terms go unexamined is the classic version of that mistake.
Sample clause language
The language below is general, illustrative guidance to show what standard and aggressive positions tend to look like. It is not legal advice, it is not a substitute for counsel reviewing your specific agreement and governing law, and Bind is not a law firm. Indemnity enforceability, and in particular the treatment of a party's own negligence, varies by jurisdiction; align the clause with the law that governs your contract.
Standard, balanced position (illustrative):
Vendor will defend Customer against any third-party claim alleging that the Service, as provided by Vendor and used in accordance with this Agreement, infringes that third party's intellectual-property rights, and will indemnify Customer for damages and reasonable costs finally awarded or agreed in settlement. This obligation does not apply to claims arising from Customer's unauthorized modifications, use of the Service in combination with non-Vendor products, or use contrary to the documentation. If the Service is held to infringe, Vendor will, at its option, (a) procure a license for continued use, (b) modify or replace the Service to be non-infringing, or (c) if neither is commercially reasonable, terminate the affected Service and refund prepaid, unused fees. Customer will give prompt written notice and reasonable cooperation, and Vendor will not settle any claim that imposes a non-monetary obligation on or admits fault by Customer without Customer's prior written consent, not to be unreasonably withheld. The IP indemnity is uncapped and the data-protection indemnity is subject to a cap of [super-cap]; both sit outside the general limitation of liability.
This is balanced because the covered claim is tied to the Service Vendor actually provides, the standard exclusions are present, the defense and remedy procedure is defined, the customer keeps consent over harmful settlements, and the clause states expressly where each indemnity sits relative to the cap.
Aggressive, one-sided position (push back, illustrative):
Customer will indemnify, defend, and hold harmless Vendor from any and all claims arising out of or related to this Agreement or Customer's use of the Service, including claims arising from Vendor's own negligence. Vendor will have sole control of the defense and settlement of all such claims. This indemnity is subject to the general liability cap.
The problems are stacked: the indemnity runs only one way (Customer to Vendor), the trigger is "any and all claims" with no link to Customer's own acts, it asks Customer to cover Vendor's own negligence, Vendor controls settlement with no Customer consent, and folding the indemnity under the general cap may leave Customer with no proportionate remedy. Each of those is a separate point to negotiate back toward the balanced position above.
How Bind handles this
Bind checks every contract against your playbook and flags non-standard indemnities, missing carve-outs, one-sided obligations, and indemnities that sit inside the cap automatically, so business teams can self-serve within guardrails legal sets once. Because Bind is rule-based and jurisdiction-agnostic, you encode your own standard, fallback, and walk-away positions for the indemnity, and Bind applies them consistently on every deal rather than depending on whoever happens to be reviewing. It is general enforcement of your rules, not legal advice. You can see how it fits an in-house workflow at bindlegal.com.
Ready to simplify your contracts?
See how Bind helps teams manage contracts from draft to signature in one platform.
Frequently asked questions
- What is a standard indemnification clause?
- In many commercial and SaaS contracts, a standard indemnity covers third-party claims, not direct losses between the parties. The near-universal vendor indemnity is third-party IP infringement, usually paired with a data or security-breach indemnity. The indemnity typically includes a duty to defend, follows a defined claim procedure, and sits outside or above the general liability cap rather than inside it.
- What is the difference between the duty to defend and the duty to indemnify?
- They are two separate obligations. The duty to defend means funding and managing the legal defense (attorneys' fees, filings, experts) from the moment a claim is filed, regardless of who ultimately wins. The duty to indemnify is pure financial reimbursement, triggered only after liability is established by judgment, award, or settlement. The duty to defend is broader and starts much earlier, so 'defend, indemnify, and hold harmless' shifts three obligations, not one.
- Should an indemnification clause be mutual or one-sided?
- It depends on the risk category, and there is no single answer. In SaaS, the IP-infringement indemnity is almost always one-sided, running vendor to customer, because the vendor controls the code it writes. Confidentiality and data-protection indemnities are frequently mutual, because both sides exchange data they must protect. A common hybrid pairs a vendor indemnity for the service with a narrower customer indemnity for the customer's own data, content, or misuse.
- Should indemnities sit inside or outside the liability cap?
- Market standard is that the IP-infringement indemnity sits outside the general liability cap (often uncapped) and data or security indemnities sit outside it or under an elevated super-cap, typically negotiated somewhere in the 2x to 5x annual-fees range. The proportionality argument is that third-party harm is not proportional to deal size. The single most-litigated ambiguity is silence, so the contract should state explicitly whether each indemnity is inside or outside the cap.
- What is the standard remedy in an IP-infringement indemnity?
- Beyond paying defense costs and damages, the standard IP indemnity gives the vendor a remedy ladder, at the vendor's option: (i) procure a license so the customer can keep using the service; (ii) modify or replace the service to be non-infringing; or (iii) if neither is commercially reasonable, terminate and refund prepaid, unused fees. Well-drafted clauses also list standard exclusions, such as the customer's unauthorized modifications or use contrary to documentation.
- What are the red flags in an indemnification clause?
- The most-cited red flag is a one-sided indemnity that puts all risk on you and none on the counterparty. Others include overbroad triggers such as any and all claims, being asked to indemnify the other party for their own negligence or willful misconduct, an indemnity capped at deal value with no carve-out from the general cap, and an indemnity that sweeps in indirect or consequential damages. See our clause library guide for documenting standard positions.