Limitation of liability benchmarks for SaaS contracts in 2026

The limitation of liability clause (“LoL”) is the single most-negotiated clause in any SaaS contract. It is also the clause where in-house counsel most often accept the vendor’s opening position because they do not have a benchmark to push back against.

This piece gives you that benchmark. It covers (1) what a fair liability cap looks like at each deal size, (2) the carve-outs that should be uncapped no matter what, and (3) the specific redline language most buyers should propose. The numbers come from our own review of hundreds of vendor MSAs across the SaaS market in 2025–2026.

The vendor’s opening position

The most common vendor default is to cap aggregate liability at the fees paid by the buyer in the six (6) months preceding the claim, with limited carve-outs. That is a starting position, not a final one. It is unusually low for any deal above $50k ARR.

Why six months? Because vendors’ insurance is typically priced against this exposure, and because procurement teams often accept it. Neither is a good reason for you to.

Benchmarks by annual contract value (ACV)

The right cap scales with the deal. These are the positions experienced buyers should push for in 2026:

• Under $25k ACV. 12 months of fees, no floor. Vendors typically accept this without escalation. Pushing harder is rarely worth the cycles.
• $25k–$100k ACV. 12 months of fees, with a $500k–$1M floor. Most vendors with experienced legal teams accept this; smaller vendors may push back.
• $100k–$500k ACV. The greater of 24 months of fees or $2M. At this size, you are a material customer and have real leverage.
• $500k+ ACV. 36 months of fees with a floor matched to your actual exposure (often $5M+). Enterprise vendors negotiate these caps individually based on buyer risk profile.

These are aggregate caps — the total ceiling across all claims in the term, not per claim. Push for aggregate. Per-claim caps with no aggregate are easier for vendors but worse for you in a series-of-incidents scenario.

Carve-outs that should be uncapped

Some categories of harm should never be subject to the cap. These are non-negotiable in any contract above $50k ACV, and you should walk if the vendor refuses:

• Indemnification obligations. Especially third-party IP indemnity. The whole point of indemnity is to make you whole for a third-party claim; capping it defeats the purpose.
• Breach of confidentiality. If the vendor leaks your trade secrets, your damages can be enormous and not closely tied to the contract value.
• Breach of data security or privacy obligations. Especially when personal data is involved. Regulatory fines under GDPR or state privacy laws can dwarf the contract value.
• Gross negligence or willful misconduct. Standard in every commercial contract; vendors who push back here are signaling something.
• Payment obligations. Vendors typically push to keep your payment obligations outside the cap. Fair — but make it mutual.

For data breaches specifically, many sophisticated buyers now negotiate a super-cap rather than full uncapped liability — for example, 5× the regular cap for data breaches, instead of unlimited. That is often the right compromise when vendors refuse to go uncapped.

Consequential damages

Almost every vendor contract excludes consequential, indirect, special, and punitive damages. The reasons are well-established and most buyers accept this — but there is one nuance worth knowing.

Lost profits are sometimes considered direct damages and sometimes consequential, depending on jurisdiction and how the contract is drafted. If lost revenue from downtime or a data breach is a real concern, do not let the consequential damages waiver sweep it under the rug. Either carve out lost profits explicitly or make sure the liability cap is large enough to cover the realistic loss exposure.

The redline most buyers should propose

Here is a single replacement clause that captures the benchmark for a mid-market deal ($50k–$500k ACV). Adapt the dollar figures to your deal size:

Except for the Excluded Claims (defined below), each party’s aggregate liability under this Agreement shall not exceed the greater of (a) the fees paid by Customer to Vendor in the twelve (12) months preceding the claim, or (b) US $1,000,000. The Excluded Claims, which are not subject to this cap, are: (i) either party’s indemnification obligations; (ii) breach of confidentiality; (iii) breach of data security or privacy obligations; (iv) gross negligence or willful misconduct; and (v) Customer’s payment obligations.

Most vendors will accept this language with minor edits. The two pressure points are usually (1) the dollar floor — vendors often want it smaller or removed — and (2) the breach-of-data-security carve-out — vendors often want a super-cap instead. Both are reasonable compromises if you cannot get the full position.

Where buyers most often leave money on the table

Three recurring mistakes we see:

1. Accepting a per-claim cap instead of aggregate. A per-claim cap of $500k sounds bigger than an aggregate cap of $1M — until you realize the per-claim version has no ceiling on the number of claims.
2. Forgetting the floor. A “12 months of fees” cap on a $30k/year contract is $30k. If you are storing customer payment data through the vendor, $30k will not cover a single class-action filing fee.
3. Not carving out the DPA. If you sign a DPA referencing the MSA, and the MSA caps liability at $30k, the DPA inherits that cap by default. Make sure the DPA either has its own (higher) liability provision or that data-related claims are explicitly carved out of the MSA cap.

Closing thought

LoL is the clause where the gap between “what most companies sign” and “what most companies should sign” is widest. The fix is rarely complicated; it is mostly about having a benchmark in front of you and being willing to send the redline. Vendors negotiate from defaults. So should you.

If you want a faster way to apply this benchmark across every contract you see, CounterClause lets you encode it as part of your playbook. Upload a contract and any clause that falls below your standard position gets flagged with a proposed alternative — including the LoL clause, with the right benchmark for the deal size.