What Is a Fair Liability Cap in a Contract?

What a liability cap actually does

A limitation-of-liability clause says that no matter how much harm a party causes through breaching the contract or being negligent, the most the other party can recover is a defined amount. Caps are not inherently unfair — they let both sides price and bound their risk, which is part of why deals get done at all. The problem is when a cap is set so low, or written so one-sidedly, that it effectively means one party bears all the real consequences while the other faces almost none.

There are usually two layers to read. First, the cap itself: the dollar figure or formula limiting total liability. Second, the exclusions: categories of damages, like "indirect" or "consequential" losses, that are carved out entirely and cannot be recovered at all. Both shape your real exposure, and a fair-looking cap can be undermined by an aggressive exclusion list.

The "one month of fees" trap

The most common red flag is a cap pegged to a tiny slice of what you pay. A SaaS contract might limit the vendor’s total liability to "the fees paid in the one month preceding the claim." If that vendor loses your data or suffers a breach that costs your business far more, your maximum recovery is a single month’s subscription. The cap is wildly out of proportion to the harm, and it quietly shifts the entire downside onto you. A more balanced figure ties the cap to a longer period — often the fees paid over the prior twelve months — so it bears some relation to the real risk.

Watch for one-sided caps

Read whether the cap applies to both parties or only one. Some contracts limit the vendor’s or service provider’s liability tightly while leaving your liability uncapped, so they are protected and you are exposed. A fair clause is mutual: both sides face the same ceiling. If the cap protects only them, that asymmetry is itself a reason to negotiate, regardless of the number.

The exclusions that swallow the cap

Even a reasonable cap can be hollowed out by what it excludes. Many clauses bar recovery of "indirect, incidental, special, or consequential damages" — and a lot of the real harm from a breach (lost profits, lost data, business interruption) can be characterized as exactly those. If the contract excludes consequential damages entirely and caps the rest at a low number, you may be left with almost no meaningful remedy. Read the exclusion list as carefully as the cap, because that is often where the protection actually disappears.

The carve-outs that should survive

Just as some exclusions hurt you, some carve-outs protect you — and fair contracts include them. Certain liabilities should sit outside the cap entirely, meaning they are recoverable in full no matter what. Common, reasonable carve-outs include a party’s indemnification obligations, breaches of confidentiality, gross negligence or willful misconduct, and a data breach involving personal information. If the cap applies to everything, including the other side’s worst behavior, that is too favorable to them. Pushing the most serious risks above the cap is a standard, defensible ask.

In practice this is one of the most productive places to negotiate. Even a party unwilling to raise the overall cap will often agree that data breaches, confidentiality violations, or IP indemnities should be uncapped, because those are exactly the catastrophic risks a cap should not be allowed to excuse.

When no cap, or a high one, is the fair answer

Sometimes the right outcome is little or no cap at all on certain liabilities. If you are entrusting a vendor with sensitive customer data, the potential harm from a breach can be enormous and largely within their control, so it is reasonable to insist that breach-related liability be uncapped or capped at a meaningful level rather than a token one. The same logic applies to a party’s indemnification of you against third-party claims — capping their duty to defend you can leave you exposed to the very risk the indemnity was supposed to cover. A cap is a tool for allocating ordinary risk, not for letting a party escape responsibility for the catastrophic failures they are best positioned to prevent. Matching the cap to who controls the risk is often more important than the headline number.

How big should the cap be?

There is no universal number, but a few reference points help. For subscription services, a cap tied to twelve months of fees is far more common and defensible than one month. For larger or riskier engagements, caps are sometimes set at a multiple of fees, or at a fixed amount negotiated to reflect the potential harm. The right size depends on what could actually go wrong: the more damage a failure could cause you, the higher the cap should be to keep the clause from shifting that damage onto you. Compare the cap to the realistic worst case, not to the monthly invoice.

Direct, indirect, and consequential damages explained

These terms decide what kinds of harm you can even claim, so they are worth understanding. Direct damages are the immediate, obvious losses that flow straight from a breach — for example, having to pay another vendor to redo work that was not delivered. Indirect or consequential damages are the knock-on losses: lost profits, lost business, reputational harm, the customers you lost because the vendor’s outage took down your site. The catch is that the consequential losses are often the largest part of the real damage, yet they are exactly what many contracts exclude.

So a clause that says "neither party is liable for indirect or consequential damages" can quietly remove the bulk of what a serious failure would actually cost you, leaving only the narrow band of direct losses, themselves capped. When you read a liability section, do not just look at the dollar cap; look at which categories of damage are excluded entirely, because that exclusion can matter more than the number.

Liability caps beyond software

Although these clauses are most associated with SaaS and technology contracts, they appear across the board, and the same principles apply. In a services agreement, a low cap can leave you under-protected if the provider’s mistake causes real damage. In a construction or vendor contract, the cap interacts with warranties and indemnities to determine who bears the cost of a defect. Even some leases and equipment agreements limit the landlord’s or supplier’s liability. Wherever you see a limitation-of-liability clause, ask the same questions: is it mutual, is it proportionate to the harm that could occur, and does it exclude the losses that would actually hurt?

How insurance fits in

Liability caps and insurance work together, and the connection is easy to miss. A vendor may agree to a low cap precisely because they expect their insurance to cover catastrophic events — but that insurance protects them, not necessarily you, unless the contract requires it and names your interests. For higher-risk engagements, it is reasonable to ask the other side to carry adequate insurance (cyber, professional liability, general liability as appropriate) and to provide proof. Sometimes the most practical fix for a low cap is not raising the number but ensuring there is real insurance behind the obligations that matter most to you.

What to negotiate

If the cap is too low or one-sided, reasonable and commonly accepted requests include:

• Make the cap mutual so both parties face the same ceiling.
• Raise the cap to a more typical level, such as twelve months of fees.
• Carve out data breaches, confidentiality, IP indemnity, and willful misconduct so they are not capped.
• Narrow the exclusion of consequential damages, or carve out specific losses you care about.
• Make sure your direct, foreseeable losses remain recoverable up to the cap.

The bottom line

A fair liability cap is mutual, sized to the real risk of the deal rather than a token amount, and leaves the most serious harms — data breaches, confidentiality, indemnities, willful misconduct — recoverable in full. A cap of "one month of fees," a one-sided limit, or a broad exclusion of consequential damages should all prompt a closer look and usually a negotiation. If you would rather not parse the limitation-of-liability language yourself, ClauseAudit reviews the contract in about a minute, flags low or one-sided caps and aggressive exclusions, and tells you in plain English how exposed you actually are — and what to ask for.