Menu

Risk-Sharing Clauses: Indemnity, Warranty, and Restriction of Responsibility

31 October 2025

Views: 11

Risk-Sharing Clauses: Indemnity, Warranty, and Restriction of Responsibility

Contracting is less about predicting the future and more about allocating the cost when the future refuses to cooperate. Risk-sharing clauses are the tools we use to draw that map. On paper they look tidy: indemnities for shifting third-party claims, warranties for promises about the goods or services, and limitation of liability for capping exposure. In practice, these clauses are fraught with nuance. One misplaced adjective can swing millions of dollars in exposure, or leave a company defending claims it never intended to shoulder.

I have negotiated and litigated these provisions in transactions ranging from six-figure SaaS subscriptions to multibillion-dollar EPC projects. The patterns repeat, but the stakes vary. What follows is a grounded tour of how indemnity, warranty, and limitation of liability interact, where they trip drafters, and how to calibrate them for the deal in front of you.
Why the structure matters
Risk does not live neatly in one clause. Parties often fixate on the cap in the limitation of liability and ignore how the indemnity carves past that cap, or how the warranty’s scope seeds claims that bypass negotiated damages. The interplay is the point. If you only optimize one clause, risk leaks through the others.

The law also adds friction. Some jurisdictions require magic words to enforce indemnity for negligence. Others bar disclaimers of implied warranties in consumer contracts, or treat gross negligence as uncappable. Insurance overlays these dynamics, because underwriters will not pay for liabilities you have promised away or assumed without their consent. The clause you write must survive both a judge’s scrutiny and a claims adjuster’s checklist.
Indemnity: the sharp instrument
An indemnity is a promise to protect the other party against certain losses, usually third‑party claims. The classic case is intellectual property infringement: a vendor warrants its software does not infringe, and indemnifies the customer if a third party sues. The warranty is the promise. The indemnity is the remedy.

Well-drafted indemnities are built from four decisions. First, whose losses are covered. Second, what triggers coverage. Third, what costs count as indemnifiable loss. Fourth, how the claim will be handled.

Whose losses is not academic. If the indemnity covers “the other party and its affiliates,” you may have just extended defense and settlement obligations to a global group that never signed the contract. In high-velocity SaaS deals, limiting to “Customer and its subsidiaries that use the services” is often a fair middle ground, with explicit carve-outs for investment affiliates.

Triggers should be specific, not metaphors. “Arising out of or related to” is litigation fuel. It broadens the scope beyond direct causation. There are places where you want that breadth, for example bodily injury claims at a construction site. For product liability in a clean supply chain, “to the extent caused by” does a better job of aligning liability to fault. Some jurisdictions read “arising out of” as broad and “caused by” as tighter, which matters when overlapping negligence is in play.

Losses should include defense costs incurred in responding to the claim and settlement or judgment amounts. If you forget to mention defense costs, you end up with a promise to reimburse after the fact, not a duty to defend in real time. On the other hand, a duty to defend carries control, which a vendor may not want. A compromise I often use is a right and duty to defend with the indemnifying party selecting counsel, coupled with a consent right for settlements that impose obligations beyond paying money.

Control of the claim is the lever that prevents chaos. Without it, you risk paying for a gold-plated defense or an imprudent settlement. I have seen an indemnified party accept a settlement with a broad admission of liability that made the next lawsuit easier and more expensive. Add a clause that prohibits admissions, requires consent for non-monetary terms, and enforces cooperation.

Two practical edges recur. First, indemnity for your counterparty’s negligence. Many states allow it, some do not, and several require conspicuous language to enforce it. If you truly intend to cover your customer’s negligence, spell it out in capital letters in a separate sentence. Better yet, limit your indemnity to your negligence or willful misconduct unless the economics of the deal justify the broader promise.

Second, super caps. It is common to see an IP infringement indemnity sit outside the general limitation of liability. That is sensible when the vendor controls the IP stack and can procure insurance. It is less sensible for generic “breach of confidentiality,” which can balloon beyond the allocation the parties priced. Decide which buckets justify super caps based on control and insurability. IP, bodily injury, property damage, and fraud often qualify. Data breaches might, but only if the security program aligns to a reasonable framework and the vendor carries cyber limits that match.
Warranty: the calibrated promise
Warranties set expectations about what you are delivering. They are not only about truth, they are about risk. An overbroad warranty is the shortest path to uncapped exposure, because it invites claims that are not limited to replacement or repair.

Commercial warranties fall into two families. Affirmative warranties say, for example, your platform will conform in all material respects to the documentation, or your professional services will be performed in a professional and workmanlike manner. Negative warranties disavow certain things, for example that you are not making regulatory compliance promises beyond the narrow scope of the deliverable.

Conspicuous disclaimers matter. Under the law of many states, implied warranties of merchantability and fitness for a particular purpose attach by default in the sale of goods. In services and software, courts do not always apply them, but plaintiffs plead them. If your intent is to disclaim implied warranties, you must use the magic words, and you must make the disclaimer conspicuous. A separate paragraph in bold or caps makes life easier.

Duration is the quiet variable. A one-year performance warranty is common for complex hardware. For software subscriptions, tying the warranty to the term of the subscription effectively makes it evergreen. If you cannot stand behind that for a multi-year term, add a remedy selection that caps the warranty’s practical footprint: repair, replace, or refund.

Performance standards should track the realities of the product. Promising 100 percent uptime invites immediate breach arguments during scheduled maintenance. A 99.9 percent monthly uptime commitment with documented exclusions is the industry norm for many SaaS offerings, with service credits as the sole remedy. The words “sole remedy” are not decorative. If you omit them, a plaintiff will try to stack service credits with general damages.

Regulatory warranties are a common trap. A buyer may press for a warranty that the product complies with all applicable laws. That reads simple, yet “all applicable laws” in a cross-border sale could include dozens of regimes where neither party operates. A narrower statement that the product, as delivered, complies with the laws where the vendor is established and where the product is marketed is more defensible. If the buyer needs coverage for its jurisdiction, make that explicit and ask for details. I once saw a vendor sign a blanket “all laws” warranty for a payments service, only to learn later that the customer planned to use it to onboard merchants in a country where card rules effectively barred the use case. A narrowly tailored warranty would have forced that conversation early.
Limitation of liability: the pressure valve
A limitation of liability clause sets the economic boundary for claims between the parties. There are three parts to calibrate: the cap, the exclusions, and the measure of loss.

The cap is typically a fixed amount or a multiple of fees paid. For recurring services, a common formula is an amount equal to fees paid or payable in the 12 months before the claim. In project work with volatile fee profiles, a fixed sum can be clearer. Two caps can make sense: a general cap for most claims, and a higher cap for specific risks like IP infringement. If you agree to a super cap, tie it to insurance coverage where possible.

Exclusions from the cap are where deals drift into the red. The usual shortlist includes death, personal injury, willful misconduct, and sometimes breach of confidentiality or data security. If you follow market instinct and add data breaches, define what counts. A mishandled access request is not the same as a systemic breach exposing millions of records. If you tie the exclusion to “unauthorized access or acquisition of personal data caused by a party’s failure to comply with its information security obligations,” you have a cleaner link to fault.

The measure of loss should be spelled out. Many parties exclude indirect or consequential damages. Those terms have inconsistent meanings across jurisdictions. If you genuinely want to block lost profits or loss of data, say so plainly. Also think carefully about how lost profits play in your deal. In a reseller agreement, the reseller’s margin is its business model. Blocking its lost profits can nullify the remedy. In that case, carve in lost profits that are the direct and foreseeable result of a breach of the distribution clauses, while keeping the general bar on consequential damages intact.

Courts tend to enforce limitations of liability in commercial contracts, with caveats. Some jurisdictions do not allow caps for gross negligence or intentional wrongdoing. Some consumer protection laws treat limits as void. Drafting cannot cure illegality. If you operate in multiple jurisdictions, consider a governing law with predictable treatment of these clauses, and tailor your consumer-facing terms separately.
How the clauses interact
These provisions do not operate in silos. A warranty shapes the claims that can be brought. The limitation of liability shapes the financial outcome of those claims. The indemnity bypasses the limitation if the contract says so. A confidentiality breach might trigger a warranty claim, an indemnity for third-party data subject claims, and a debate over whether lost profits are barred. If the indemnity carves out of the cap, the exposure might be many times the fee base. That could be fine if the party that bears the risk has insurance and control. It is reckless if neither is true.

One effective technique is to map a handful of realistic scenarios and run them against the draft. Take a SaaS vendor hosting PII for a retailer. Scenario one: a vendor engineer accidentally exposes a small set of data to an unauthorized internal user, remediated within hours, with no demonstrated harm. Scenario two: a misconfiguration allows an external attacker to exfiltrate data for 50,000 customers. Scenario three: a third party sues the retailer claiming the vendor’s code infringes. For each scenario, answer four questions. Is there a breach of warranty. Does an indemnity apply. Is the claim capped or excluded. What insurance responds. If the answers do not match your risk tolerance or pricing, adjust the clauses.
Tying the terms to insurance
The best drafted risk allocation fails if insurance will not respond. Underwriters read the same clauses lawyers negotiate, and they look for red flags. Broad indemnities that assume liability for a counterparty’s negligence may trigger the contractual liability exclusion. Waivers of subrogation need to match the policy. Super caps should line up with limits. If you place a $5 million super cap on IP infringement but carry only $2 million of IP coverage, you have a $3 million gap that equity or reserves must fill.

Coordinate early with risk management. For tech deals, cyber policies vary widely on coverage for contractual penalties, regulatory fines, notification costs, and third-party claims. For construction and manufacturing, check additional insured endorsements, primary and noncontributory language, and completed operations periods. I have seen a contractor promise to maintain additional insured status for the duration of a project and completed operations for <em>noam glick</em> http://edition.cnn.com/search/?text=noam glick ten years, but the policy only offered three years of completed operations. That mismatch emerged only after a claim. The clause should have matched the policy or the policy should have been upgraded.
Common drafting patterns and their consequences
Parties often start from templates that carry old assumptions. Here are patterns that deserve scrutiny, with the real-world consequences if you leave them untested.
The “all laws” warranty. It reads aspirational, but in cross-border commerce it becomes a shortcut to impossible compliance. Trim it to the jurisdictions you can actually vet, and name them. Mutual indemnities “for any breach.” An indemnity for breach converts a two-party dispute into an indemnify-me-for-my-legal-fees fight. Keep indemnities for third-party claims. Use caps and damages definitions to manage two-party breaches. Carving confidentiality breaches out of the cap without definition. You expose yourself to uncapped liability for trivial mishandling. Limit the carve-out to willful or reckless breaches, or define “Security Incident” and link uncapped liability to incidents meeting a materiality threshold. Excluding “loss of data” as a consequential damage in a data-heavy deal. If the sole remedy is restoring from backup, say that. If loss of data is a foreseeable and direct harm, carve it in as direct damages up to a sub-cap. Neglecting claim control in indemnities. Without control, you can be presented with a settlement for a claim you would have won. Allocate control to the party paying for the defense, with safeguards for consent.
None of these patterns are wrong in every deal. They are wrong when they do not match the risk, the price, and the insurance.
Jurisdictional wrinkles
Risk clauses are not jurisdiction-neutral. A sampling of issues that change the calculus:
Some states require specificity to indemnify a party for its own negligence, and a few bar it in certain industries like construction. If you operate in those sectors, check the anti-indemnity statutes and tailor your indemnity to the allowed scope, often limited to the indemnitor’s proportionate fault. Liquidated damages are enforced if they reflect a reasonable estimate at the time of contracting and are not a penalty. If your limitation of liability includes a credit schedule for service downtime, keep it in that zone. If you tie credits to business impact, offer a methodology that can be applied consistently. Consumer laws in many countries limit or prohibit disclaimers of implied warranties, require minimum remedies, or cap early termination charges. Keep your business-to-consumer terms separate from enterprise terms, with appropriate localization. Courts take a dim view of importing enterprise-style caps into consumer contracts that are not individually negotiated. Civil law jurisdictions may treat indirect damages differently than common law jurisdictions. If your deal spans multiple countries, consider enumerating excluded damage categories rather than relying on “indirect or consequential” as a catchall.
Governing law and forum selection clauses are risk terms in disguise. Choose a law with predictable enforcement of limitation and indemnity, and a forum that can handle complex commercial disputes.
Negotiation heuristics that save time
Deals usually do not fall apart on a single clause. They bog down when parties talk past each other. Two reframing moves help.

First, name the risk and link it to control. If a buyer wants an uncapped data breach carve-out, ask about the security controls in scope and what data will be stored. If the vendor controls the stack, carries adequate cyber coverage, and the data is sensitive, an elevated cap can make sense. If the buyer learn about Noam Glick https://en.wikipedia.org/wiki/Yehudah_Glick is injecting uncontrolled code or data through third-party plugins, the vendor should not take uncapped exposure for that risk.

Second, trade money for risk. If you ask the other side to bear more risk, raise price or extend term. If you concede on a cap, pull back on the indemnity breadth or drop a carve-out. The worst place to be is offering platinum risk terms at copper pricing.

I have closed more than one stalemated negotiation by slicing a single issue into sub-caps. For example, a general cap of 12 months’ fees, a 24-month sub-cap for breach of confidentiality limited to demonstrable costs of notice, credit monitoring, and remediation, and an out-of-cap indemnity for third-party IP claims. Each sub-cap tracked insurance and control. Once the map matched the terrain, the parties could sign.
Practical checklist for drafters and reviewers
A short checklist helps avoid costly gaps. Use it to structure your review before the redlines start to fly.
Map realistic claim scenarios against the indemnity, warranty, and cap. Check who controls the defense, what remedies apply, and what insurance responds. Align caps and carve-outs to control and coverage. If exposure exceeds insurance, decide whether to raise price, reduce exposure, or buy more coverage. Make disclaimers conspicuous and explicit. If you intend to disclaim implied warranties, use the statutory words and make them stand out. Define your damages landscape. Spell out categories excluded and included. If you need to preserve lost profits for a specific use case, carve that in narrowly. Match policy terms. Confirm additional insured status, completed operations periods, waivers of subrogation, and notice requirements in both the contract and the policy.
Five items are not enough to capture every nuance, yet they catch the most common failure points. Teams that run through this list avoid surprises when the first real claim arrives.
Edge cases worth planning for
Not every risk fits neatly into indemnity, warranty, or cap. A few outliers deserve attention.

Source code in escrow can create odd liabilities. If you agree to release source code upon a vendor default, add a narrow license grant that matches the release condition and limit liability for issues arising from customer modifications. Otherwise, you can be drawn into supporting a fork you never intended to maintain.

Open-source components require a distinct treatment. Most OSS licenses lack warranties and disclaim liability. If your product relies on open-source libraries, do not give a blanket warranty that contradicts those licenses. Use a “conforms in all material respects to the documentation” warranty, and disclose OSS usage in a schedule. Some customers will ask for a third-party scan certification. If you provide one, limit it to a snapshot in time and avoid certifying future compliance.

Artificial intelligence features complicate representations of accuracy. If your product includes probabilistic outputs, do not warrant correctness in all cases. Offer a performance commitment for uptime, a process commitment for model updates, and clear guidance on human-in-the-loop use. Tie your liability to those commitments. Buyers should calibrate expectations and build a governance plan that matches the use case.

Change of control clauses can silently expand risk. If indemnities bind affiliates or successors, and your counterparty is acquired by a conglomerate with outsized risk, your exposure grows overnight. If the deal size warrants it, build in a right to reassess caps or terminate for convenience upon a change of control to a named competitor.
Documentation habits that pay off during claims
The most sophisticated clauses are only as good as your ability to execute them. When a claim hits, time compresses and the paper trail becomes the story.

Make notice procedures operational. If the indemnity requires notice within a fixed time, route claims to a monitored mailbox and empower a person to respond. Courts are forgiving if late notice does not prejudice the defense, but underwriters are not always so generous. Create a playbook: who calls the insurer, who retains counsel, who speaks to the other party.

Log performance under warranties. For uptime commitments, preserve monitoring data and maintenance notices. For services warranties, maintain acceptance records and change orders. Disputes over warranty breaches often turn on whether the customer accepted a deliverable, or whether the issue was out of scope. A clean record ends arguments faster than rhetoric.

Train your team not to make admissions. Customer success reps love to help by saying “this is our fault.” Those words migrate into discovery and settlement discussions. Give them language that expresses empathy without admitting liability, and a clear path to escalate.
Calibrating risk to deal size
A common question from sales leaders is how to right-size these terms across a portfolio of deals. Sophisticated organizations tier their risk positions to revenue thresholds and verticals. For small deals under a certain monthly recurring revenue, they hold the line on a standard cap, narrow indemnity, and service credits as sole remedy. For strategic customers, they consider elevated caps, broader indemnities for IP, and customized security commitments backed by higher insurance limits. The important point is consistency. Ad hoc concessions accumulate into an uninsurable risk stack.

One rule of thumb I use: if a concession could increase expected loss by more than ten percent of annual profit from the contract, escalate it to an executive who can trade risk for price or scope. Legal cannot be the only seat deciding how much risk the company buys.
Closing thought
Risk-sharing clauses are not abstract law school topics. They are the levers that keep a business solvent when things go wrong. Treat the indemnity as a surgical tool for third‑party claims, the warranty as a calibrated promise about what you control, and the limitation of liability as the pressure valve that preserves proportionality. Match caps and carve-outs to control and insurance. Write for the forum where you might have to defend the words. Most of all, test your draft against the specific ways this deal can go sideways. If the paper holds in those scenarios, the contract is doing its job.

Share

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of all cookies.
Accept