Limitation of Liability Clauses: What's Standard in 2026
What is a standard limitation of liability cap?
In many commercial and SaaS contracts, the standard general cap limits each party's total liability to 1x the annual fees, measured as the fees paid or payable in the 12 months immediately before the event giving rise to the claim. The cap is typically mutual, and a defined set of high-risk categories sits above it or outside it entirely. There is no single legal "correct" number, but this is the convention most counterparties recognize as fair.
A limitation of liability clause does two separate jobs that are easy to conflate. It caps the dollar amount one party can recover, and it excludes whole categories of damage (such as indirect or consequential loss) from recovery at all. Getting the cap "right" means getting both of those, plus the list of carve-outs, into alignment with the risk of the deal.
This guide is the pilot in our "what is standard?" clause series. It is written for in-house legal teams and the business users they enable: the sales, procurement, and partnerships colleagues who hit these clauses daily and need to know when a cap is normal, when to push, and when to escalate.
The liability cap spectrum
Caps are not binary. They run along a spectrum from conservative (vendor-favorable) through the market standard to aggressive (customer-favorable) and finally to positions that should make either party walk. The chart below shows where common cap levels fall, expressed as a multiple of annual fees or annual contract value (ACV).
A few patterns hold across the practitioner sources. Conservative, vendor-favorable positions anchor on 1x fees actually paid with an aggregate cap. The standard for technology and retail deals is 1x annual fees or ACV. Regulated, data-heavy deals (healthcare, financial services, critical infrastructure) routinely run 1x to 3x, and the high-risk categories within them get pushed into super-cap territory. Aggressive customer-favorable positions ask for 2x to 3x fees payable over the full term, per-claim rather than aggregate caps, and broad carve-outs.
Two structural choices move the real number more than the headline multiple does: the cap basis ("fees paid in the 12 months preceding the claim" versus "total fees paid" versus "total contract value") and whether the cap is aggregate or per-claim. A "1x" cap can mean wildly different things depending on which basis it uses.
What's actually in a limitation of liability clause
A well-drafted clause has three moving parts, and they should be read as separate levers rather than one block of text.
1. The cap (a ceiling on amount). A dollar limit on the damages that remain recoverable, typically the trailing 12 months' fees. Best practice favors "paid or payable" over "actually paid" so the denominator is not near zero early in the term, and pairs the multiple with a fixed-dollar floor (for example, "the greater of $X or 12 months' fees") so low-spend customers still have a meaningful cap.
2. The damages exclusion (a bar on type). A waiver of indirect, consequential, special, incidental, exemplary, and punitive damages, usually including lost profits. This removes an entire category of loss, so the breaching party is only ever exposed to direct damages, which the cap then bounds. Excluding consequential damages is not the same as capping direct damages; a clause should do both.
3. The carve-outs (what sits outside the cap). The items that are excluded from the cap, the exclusion, or both, and are therefore uncapped or super-capped. This is where most real exposure lives.
"Lost profits" are not automatically consequential. Some courts treat them as direct damages when they are the profits the contract itself promised, which means a waiver of "consequential damages, including lost profits" can leave the most painful loss outside the waiver. Where lost profits matter, practitioners recommend expressly defining them as excluded regardless of how they are characterized, rather than relying on the consequential-versus-direct line.
The standard carve-outs that sit outside (or above) the general cap are well established: IP-infringement indemnity (most commonly fully uncapped), confidentiality and data-protection breaches, fraud, gross negligence, willful misconduct, and a party's payment obligations. The drafting risk runs in both directions. Carve-outs that are too narrow leave you under-protected on a data breach. Carve-outs that are too broad can swallow the cap entirely and recreate effectively unlimited liability despite a negotiated number.
Is it reasonable?
Use the table below to triage a clause quickly. The "Standard" column is the position most counterparties accept without much friction. "Aggressive" is where you should push back. "Red flag" is where you escalate or walk.
| Element | Standard | Aggressive (push back) | Red flag (walk away) |
|---|---|---|---|
| Cap amount | 1x fees paid or payable in the trailing 12 months, with a fixed-dollar floor | Sub-12-month multiple, or "actually paid" basis with no floor | Nominal cap (1 to 3 months' fees), e.g. ~$6k against $500k of real exposure |
| Carve-outs | IP indemnity, confidentiality, data/security, fraud, gross negligence, willful misconduct, payment obligations | Confidentiality or data/security folded back under the general cap | No carve-outs at all for IP, data, confidentiality, or willful misconduct |
| Mutuality | Same cap both directions | One-sided cap "as standard," resistant to mutuality | One party capped, the other fully exposed, with no movement |
| Super-caps | 2x to 5x annual fees (or a fixed sum) for data, privacy, IP | No elevation offered for a security-sensitive deal | Security-sensitive deal at the general cap with no insurance behind it |
| Consequential damages | Mutual waiver of indirect/consequential loss, lost profits defined and excluded | Blanket exclusion with no definitions, inviting disputes | Exclusion that also sweeps in direct lost profits the contract promised |
The point of the table is proportionality. A 1x cap on a $100k SaaS deal covers around two percent of the average data-breach cost, which IBM and Ponemon put at USD 4.44M globally in their 2025 Cost of a Data Breach report (down from USD 4.88M in 2024). That gap is exactly why the data-security carve-out and any super-cap matter more than haggling over whether the general cap is 1x or 1.25x.
Treat any of these as a trigger to push back hard or escalate: a cap tied to fees from the prior 1 to 3 months; an "actually paid" basis with no fixed floor on a brand-new contract; a 6-month rather than 12-month lookback; per-claim caps with no aggregate ceiling, letting damages accumulate without limit; no carve-outs at all for data security, IP, confidentiality, or willful misconduct; a one-sided cap where only the counterparty is protected; refusal to carry adequate Cyber and E&O insurance behind an uncapped or thinly-capped position; or a cap so low relative to contract value that it leaves you with no viable remedy. Most of these are individually fixable. Several of them together usually mean the clause was drafted to leave the other side with no meaningful remedy in practice.
How to negotiate it
The cleanest way to negotiate a liability cap is to decide your three positions before you open the document, then trade down a defined ladder rather than improvising. This is the playbook concept: a documented ask, fallback, and walk-away for the clause, so anyone on the team negotiates it the same way.
A typical ladder for a buyer on a security-sensitive deal looks like this. Ask: a mutual 1x to 2x cap, a 3x to 5x super-cap (or unlimited) for data and IP, and the standard carve-outs. Fallback: accept the counterparty's one-sided general cap but secure mutual carve-outs for security, IP, and confidentiality plus SLA service credits. Walk-away: a nominal sub-12-month cap with zero carve-outs and no insurance.
Three tactics consistently help when leverage is thin. First, negotiate the liability provisions last, after scope and price are fixed, so the cap cannot be recalculated against a moving fee number. Second, reach for "easy outs" instead of dying on the cap: clear termination rights, a ceiling on annual fee increases, or SLA credits as a proportionate remedy. Third, remember the deal-size reality. As a rough rule of thumb, vendors rarely move off standard terms on small deals, meaningful flexibility tends to appear as spend climbs toward strategic or seven-figure levels, and super-caps are usually a non-starter with hyperscalers but very much on the table with smaller vendors. Mutuality is the one ask worth holding almost regardless of size, because it is hard to argue against in principle.
What the other side will argue
Most cap negotiations recycle the same handful of counterparty arguments. Having a calm, standard response ready keeps the conversation on the substance.
| They say | You say |
|---|---|
| "1x annual fees is our standard cap and it is non-negotiable." | "Standard for the general cap, agreed. We are aligned there. The open item is the data-security and IP carve-out, not the base number." |
| "We cap our liability; we cannot accept uncapped exposure." | "Neither can we, which is why we are proposing a mutual cap and a super-cap for the high-risk heads, not unlimited liability across the board." |
| "This is a one-sided cap because we carry the delivery risk." | "Do you cap your own liability to your customers? If so, mutuality is just the same protection running both directions." |
| "We exclude all consequential damages, so you are already protected." | "Excluding consequential damages bars a type of loss; it does not cap our direct exposure. Those are two different levers and we need both addressed." |
| "We cannot offer a super-cap for data security." | "Then let's set a fixed-dollar data-security cap instead of a fee multiple, and tie it to the insurance you already carry." |
The framing that unlocks most of these is WorldCC's own finding: negotiators over-focus on risk and liability terms relative to the terms that actually drive value, and only about four of the top-ten most-negotiated terms also appear on the most-important list. Spending an extra week on whether the cap is 1x or 1.1x, while the carve-outs and SLA remedies go unexamined, is the classic version of that mistake.
Sample clause language
The language below is general, illustrative guidance to show what standard and aggressive positions tend to look like. It is not legal advice, it is not a substitute for counsel reviewing your specific agreement and governing law, and Bind is not a law firm. Carve-out enforceability in particular varies by jurisdiction; align the list with the law that governs your contract.
Standard, mutual position (illustrative):
Except for the Excluded Claims, each party's total aggregate liability arising out of or related to this Agreement, whether in contract, tort, or otherwise, will not exceed the greater of (a) the total fees paid or payable by Customer under this Agreement in the twelve (12) months immediately preceding the event giving rise to the claim, or (b) US$[floor]. Neither party will be liable for any indirect, incidental, special, consequential, or punitive damages, or for lost profits, even if advised of their possibility. "Excluded Claims" means a party's indemnification obligations for third-party intellectual-property infringement, breaches of confidentiality, breaches of its data-protection and security obligations, fraud, gross negligence, and willful misconduct, and Customer's obligation to pay fees due.
This is balanced because the cap is mutual, uses "paid or payable" with a fixed floor, defines a clear 12-month reference period, waives the consequential category, and lists the standard carve-outs explicitly.
Aggressive, vendor-favorable position (push back, illustrative):
Vendor's total liability under this Agreement will not exceed the fees actually paid by Customer in the three (3) months preceding the claim. In no event will Vendor be liable for any indirect or consequential damages or lost profits. This limitation applies to all claims of every kind.
The problems are stacked: the cap is one-sided (only Vendor is limited), the basis is "actually paid" rather than payable, the lookback is 3 months rather than 12, there is no floor, and there are no carve-outs at all, so a data breach or IP-infringement claim is capped at a near-nominal sum. Each of those is a separate point to negotiate back toward the standard position above.
How Bind handles this
Bind checks every contract against your playbook and flags non-standard caps, missing carve-outs, and one-sided limitations automatically, so business teams can self-serve within guardrails legal sets once. Because Bind is rule-based and jurisdiction-agnostic, you encode your own standard, fallback, and walk-away positions for the liability cap, and Bind applies them consistently on every deal rather than depending on whoever happens to be reviewing. It is general enforcement of your rules, not legal advice. You can see how it fits an in-house workflow at bindlegal.com.
Ready to simplify your contracts?
See how Bind helps teams manage contracts from draft to signature in one platform.
Frequently asked questions
- What is a standard limitation of liability cap?
- In many commercial and SaaS contracts, the standard general cap is 1x the annual fees, measured as the fees paid or payable in the 12 months immediately before the event giving rise to the claim. The cap is typically mutual, applying the same limit to both sides. Higher-risk categories such as data security or IP infringement usually sit above this general cap or outside it entirely.
- What does a 12-month liability cap actually mean?
- It means total liability for most claims is limited to the fees paid (or payable) under the agreement during the 12-month period immediately preceding the claim. On a contract billed at $100k a year, that produces roughly a $100k ceiling. Using 'paid or payable' rather than 'actually paid' matters, because early in a term the fees actually paid can be near zero, leaving an unreasonably low cap.
- What are typical carve-outs from a liability cap?
- The common set sits outside or above the general cap: IP-infringement indemnity, breach of confidentiality, data-protection or security breaches, fraud, gross negligence, willful misconduct, and a party's payment obligations. These carve-outs are where most real exposure lives. An over-broad carve-out list can quietly recreate effectively unlimited liability, so it deserves as much scrutiny as the cap number itself.
- What is a super-cap in a contract?
- A super-cap (or enhanced cap) is an elevated ceiling applied only to high-risk categories such as data security, privacy, confidentiality, or IP infringement. It sits between the general cap and fully uncapped liability, commonly running 2x to 5x annual fees or a negotiated fixed sum, with 5x the most common multiple where an elevated cap is used. It is the usual middle ground in a capped-versus-unlimited fight.
- Should a liability cap be mutual?
- In B2B agreements, mutuality is standard: the same cap applies to both parties. A one-sided cap, where one party is capped and the other is exposed without limit, is one of the most-cited red flags. A common response to 'this is our standard position' is to ask whether the counterparty caps its own liability with its customers, which it usually does. See our clause library guide for documenting mutual positions.
- When should you walk away from a liability clause?
- Consider walking away or escalating when you see a nominal cap such as fees paid in the prior one to three months, no carve-outs at all for data security, IP, confidentiality, gross negligence or willful misconduct, a sub-12-month lookback, an 'actually paid' basis with no fixed floor on a new contract, or unlimited exposure you cannot absorb without adequate insurance behind it. These leave one party with no meaningful remedy.