Every contract has a limitation of liability clause. Most people skip it. They treat it like the safety briefing on a flight -- background noise before the real action starts. Then something goes wrong and the limitation of liability provision becomes the only clause in the entire agreement that matters.
Here is an example. Companies sign SaaS agreements with a $5,000 monthly fee and a limitation of liability that caps damages at "fees paid in the prior 12 months." That is $60,000. The data breach that followed cost $4.2 million. The limitation of liability clause held. The client was out of luck.
That is what these liability clauses do. They define the ceiling on what you can recover -- or what you owe -- when things go sideways. Understanding the limitation of liability in any agreement you sign is not optional. If you are signing contracts without understanding how limitation of liability works, you are gambling with your business and accepting financial risk you cannot quantify.
A limitation of liability clause sets the boundaries on what each party owes when something goes wrong. It does two things. First, it caps the total amount one party can be held liable for under the agreement -- the aggregate liability shall not exceed a stated dollar figure. Second, it typically excludes certain types of damages entirely.
Think of it as a two-layer shield. The first layer is the liability cap -- a hard dollar ceiling on total exposure. The second layer is the consequential damages exclusion, which eliminates entire categories of recoverable loss or damage. Together, these two mechanisms define the risk architecture of the entire contract.
Without a limitation of liability clause, a party could theoretically be liable for every dollar of damage their breach or negligence causes, including downstream consequences that ripple through the other party's business. In the event of a breach, liability arising from that failure could be enormous -- lost profits or special damages, business interruption, regulatory penalties. That is an unlimited risk posture, and no sophisticated party signs up for it voluntarily. Under applicable law, the default rule is that the breaching party is liable for all foreseeable damages, whether in contract, tort, or otherwise -- which is precisely why parties to this agreement use limitation of liability and indemnification provisions to allocate financial risk more predictably. Learn more about indemnification clauses.
The limitation of liability provision exists because both sides need to price the deal. Vendors need to know their worst-case exposure. Customers need to understand the ceiling on their recovery. The liability cap makes the economics of the agreement work.
Not all liability clauses are built the same. The structure of the cap -- and who it applies to -- changes the risk profile entirely. Understanding the different types of damages that can be limited, and how each provision of this agreement interacts with the others, is essential before you sign.
The most common structure. Total liability under the agreement shall be limited to an aggregate amount, usually tied to fees paid. You will see language like "in no event shall either party's aggregate liability exceed the total fees paid in the twelve months preceding the claim."
This is the standard limitation of liability structure in SaaS and technology agreements. The cap applies to all claims arising in connection with this agreement, regardless of the theory of liability -- breach of this agreement, negligence, strict liability. Once you hit the ceiling, that is it. Neither party shall be liable to the other party for amounts exceeding the cap, the total liability shall not exceed the amount stated, and the liable party owes nothing more hereunder. To the extent permitted by applicable law, the foregoing limitation controls.
Less common but sometimes used in managed services or outsourcing agreements. Instead of a single aggregate cap, the limitation of liability imposes a per-incident ceiling. Each discrete claim has its own cap, but there may also be an overall aggregate that covers all loss or damage arising under the contract.
The advantage of a per-incident limitation of liability provision is that one catastrophic event does not consume the entire cap, leaving nothing for subsequent claims. A clause can provide more flexibility when structured this way. The disadvantage is complexity -- parties will fight over what constitutes a single "incident" and what types of damages fall within each cap. The contract might also leave ambiguity about how the per-incident and aggregate caps interact.
A mutual limitation of liability clause applies the same cap to both parties. Each side's aggregate liability is limited to the same amount. This is the standard in arm's-length commercial agreements between parties of comparable bargaining power.
A one-sided cap means one party gets a lower cap -- or no cap at all -- while the other's liability is limited. Enterprise vendors love this. They want their liability capped at fees paid while the customer's obligation to indemnify remains unlimited. If you see a one-sided limitation of liability, push back. Hard.
A limitation of liability clause is only as strong as its enforceability. Courts in Connecticut, New York, and across the country regularly evaluate whether these clauses actually hold up under applicable law. Here is where they break down.
If a limitation of liability clause is so one-sided that no reasonable person would agree to it, courts can refuse to enforce it. Unconscionability has two prongs: procedural (was there meaningful bargaining?) and substantive (are the terms unreasonably harsh?). A liability cap of $1 in a million-dollar agreement is going to raise eyebrows.
Connecticut courts apply the unconscionability analysis under the Uniform Commercial Code for goods contracts and common law for services. The bar is high -- courts generally respect the freedom of sophisticated parties to allocate risk except to the extent that the clause might violate public policy. But it is not insurmountable, and a clause that attempts to limit liability for all types of damages without limitation -- notwithstanding any agreement to the contrary -- may be struck down.
This is the big one. Most well-drafted limitation of liability clauses include a carve-out for gross negligence or willful misconduct. Even clauses that do not expressly include this carve-out may be subject to it as a matter of public policy.
The logic is straightforward: you should not be able to cap your liability for intentional wrongdoing. If a vendor deliberately destroys your data or a party commits fraud, the limitation of liability clause shall not be deemed to protect them. Courts distinguish between ordinary negligence (where caps typically apply) and gross negligence or willful misconduct (where they often do not).
New York courts have consistently held that limitation of liability provisions do not shield parties from liability for gross negligence. Connecticut follows a similar approach. If your counterparty's conduct rises above mere carelessness into recklessness or intentionality, the cap may evaporate -- regardless of what the agreement shall say about limiting exposure.
Related to willful misconduct but distinct. A party cannot use a limitation of liability clause to cap its exposure for fraudulent conduct. Fraud vitiates the entire contract, including the liability clauses. This is black-letter law in virtually every jurisdiction.
No matter how expressly your contract attempts to limit liability, courts will not enforce a provision that shields fraudulent behavior. If you discover fraud, the limitation of liability provision is essentially void as a matter of applicable law.
Increasingly, sophisticated parties negotiate specific carve-outs for data breach liability. The standard fees-paid cap is inadequate when a breach exposes millions of customer records and triggers notification obligations, regulatory fines, and class action lawsuits.
Data breach carve-outs typically set a higher liability cap -- often a multiple of the standard cap (2x, 3x, or even uncapped) -- for claims arising from unauthorized access to or disclosure of personal data. If your agreement involves sensitive data and the limitation of liability clause does not address data breach scenarios specifically, you have a gap that exposes you to significant financial risk.
Here is where limitation of liability clauses get genuinely interesting -- and genuinely dangerous.
The standard SaaS limitation of liability caps damages at 12 months of fees paid. For a $5,000/month platform, that is $60,000. But what happens when the platform processes your customer data, suffers a breach, and you are facing $10 million in downstream liability? Neither party shall be liable beyond the cap -- even if the actual loss or damage is catastrophic.
The fees-paid cap made sense when software was sold in boxes and the worst-case scenario was the software not working. It makes no sense in a world where SaaS platforms hold your crown jewels -- customer data, financial records, trade secrets, AI training data. The damage from a failure can exceed the contract value by orders of magnitude, and any party that has been advised of the possibility of such damages should negotiate accordingly.
If you are a buyer, demand a super-cap for data-related claims. If you are a vendor, understand that sophisticated customers will not accept a fees-paid cap for data breach or data loss scenarios. The market has moved.
AI contracts introduce a new dimension to limitation of liability analysis. When an AI model hallucinates, generates infringing content, or produces outputs that cause downstream harm, who shall be liable? And how much?
Most AI vendor agreements cap liability at fees paid. But if an AI tool generates legal advice that causes your client to lose a case, or produces marketing copy that infringes a competitor's trademark, the damages could dwarf the subscription fee. The limitation of liability clause in your AI agreement needs to account for the fact that AI outputs get integrated into products, decisions, and customer-facing content -- creating indirect or consequential damages that no standard cap adequately addresses.
Model hallucination liability is the next frontier. Limitation of liability clauses in AI agreements should address output accuracy, fitness for purpose, and consequential damages arising from reliance on AI-generated content. Most do not. That gap will generate litigation.
IP indemnification is another area where the standard liability cap falls short. If a vendor's software infringes a third party's patent and you get sued, a limitation of liability capped at fees paid leaves you holding the bag for potentially millions in patent litigation costs. Neither party shall be comfortable with that outcome.
Best practice: carve IP indemnification obligations out of the standard limitation of liability cap entirely, or apply a significantly higher super-cap. The vendor's obligation to indemnify you for IP claims should not be subject to the same ceiling as a garden-variety breach. This is table stakes in enterprise technology agreements.
Nearly every limitation of liability clause includes language excluding indirect or consequential damages, along with special and incidental damages. This matters enormously because the most expensive types of damages in a commercial dispute are almost always consequential.
Lost profits. Lost revenue. Lost data. Business interruption. Damage to reputation. Loss of goodwill. Cost of procuring substitute services. These are all consequential damages -- harm that flows from the breach but is not a direct result of the breaching conduct itself.
Here is a clause example you will see in virtually every technology agreement and terms of service: "In no event shall either party be liable for any indirect, incidental, special, consequential, or punitive damages, including without limitation loss of profits or revenues, liability for lost data, business interruption, or loss of goodwill, arising in connection with this agreement, whether in contract, tort, or any other theory of liability, even if such party has been advised of the possibility of such damages."
That single sentence can eliminate 90% of your recoverable damages. If a vendor's platform goes down for a week and you lose $500,000 in revenue, that is a consequential damage. The limitation of liability clause just capped your recovery at whatever the aggregate liability cap says -- and excluded the lost revenue entirely. The vendor shall not be liable to the other party for those downstream losses or any items lost or damaged in the process, except as provided in the agreement through any negotiated carve-outs.
The line between direct and consequential damages is blurrier than most lawyers will admit. Courts do not always agree on which category a particular type of loss or damage falls into. Lost profits from a breach of a revenue-generating contract -- are those direct or consequential? Courts have gone both ways.
This ambiguity makes consequential damages exclusions simultaneously powerful and unpredictable. When drafting limitation of liability clauses, specificity beats generality. Name the categories you are excluding. Name the categories you are preserving. Any provision of this agreement that shall be deemed ambiguous will be interpreted against the drafter -- so do not leave it to a judge to sort out which types of damages are covered and which are not.
If you are a startup or a growing technology company, here is how to approach limitation of liability clauses in your agreements. These tips will help you limit liability effectively while preserving your right to meaningful recovery.
Do not accept a single flat liability cap for all claims. Implement a tiered approach: a standard cap (12 months fees) for general breach claims, and a higher super-cap (2x-3x fees, or a fixed dollar amount) for IP indemnification, data breach, and confidentiality obligations. Liability for these elevated-risk categories shall be limited to the super-cap amount, not the standard cap. This structure reflects the reality that not all liabilities are created equal.
If the vendor's liability is capped, yours should be too. A mutual limitation of liability protects both parties and signals a balanced agreement. One-sided liability caps are a sign the vendor's lawyers are trying to shift all financial risk to you. Neither party shall bear disproportionate exposure in a well-drafted agreement.
A limitation of liability clause is only meaningful if the liable party can actually pay. Require your counterparty to maintain adequate insurance -- cyber liability, errors and omissions, general commercial liability -- with minimum coverage amounts that align with the liability cap. An agreement with a $5 million liability cap and a counterparty that carries $500,000 in coverage is not worth the paper it is printed on. Also ensure that no individual officer or director is personally liable for obligations that should sit at the entity level.
Your limitation of liability clause should expressly list what is carved out of the cap: gross negligence or willful misconduct, fraud, breach of confidentiality, data breach, IP infringement, and indemnification obligations. Except as provided in these carve-outs, liability shall be limited to the stated cap. Do not rely on implied carve-outs. Courts in Connecticut and New York will enforce what the contract says -- and only what the contract says.
If the agreement involves AI services, data processing, or access to sensitive information, your limitation of liability provision needs to specifically address these risks. Standard liability clauses drafted for traditional software licenses do not account for the risk profile of AI-powered platforms. Add specific limitation of liability language for model outputs, data handling, and algorithmic decision-making. The clause examples you find in template agreements are not sufficient for AI contracts.
Connecticut and New York courts generally enforce limitation of liability clauses between sophisticated commercial parties. The operating principle is freedom of contract -- if two businesses negotiated the terms at arm's length, courts will respect their allocation of risk under applicable law.
In Connecticut, the Supreme Court has held that limitation of liability provisions in commercial contracts are presumptively enforceable. The party seeking to avoid the clause bears the burden of proving unconscionability or that the clause violates public policy. Gross negligence and willful misconduct exceptions apply, but the standard is high.
New York takes a similar approach. New York courts routinely enforce liability caps and consequential damages exclusions in commercial agreements, even when the resulting limitation seems harsh. The key factors are: (1) whether the parties were sophisticated, (2) whether there was meaningful negotiation, and (3) whether the clause was conspicuous. A limitation of liability provision that is buried in fine print may face closer scrutiny than one that is expressly called out in a separate section.
Both states will refuse to enforce a limitation of liability clause that purports to shield a party from liability for fraud or intentional misconduct. Both states will also scrutinize clauses in consumer contracts more closely than those in commercial agreements. If you are a business-to-business company, your limitation of liability clauses will generally hold. If you are consumer-facing, tread more carefully.
A limitation of liability clause is not boilerplate. It is the most economically significant provision in your agreement. It defines the ceiling on recovery, eliminates entire types of damages, and allocates financial risk between the parties in ways that can make or break your business.
Read every limitation of liability clause. Negotiate the cap, the carve-outs, and the consequential damages exclusion. Do not accept the vendor's first draft. And if the agreement involves AI, sensitive data, or significant operational dependency, demand limitation of liability terms that reflect the actual risk -- not just the contract price.
If you need help reviewing or drafting limitation of liability clauses in your technology agreements, contact Turley Law for a consultation. We draft and negotiate these provisions every day -- and we know where the bodies are buried.
The Founder's Playbook: 15 chapters on the legal foundations every business needs. Get Chapter 1 free.
Schedule a free consultation to discuss how this applies to your business.