Limitation of liability (LOL) clauses are routinely described as "standard" in commercial contract negotiations. Vendors say it. Outside counsel says it. Sometimes it is true. Often what "standard" means is "we use this language in all our agreements" — which is a statement about the vendor's preference, not about commercial market norms.
Understanding what is genuinely standard versus what is vendor-favorable requires decomposing the LOL provision into its constituent elements. The elements interact with each other: the cap amount alone does not tell you whether a limitation of liability clause is acceptable. The cap amount, the mutual versus unilateral structure, the excluded categories, and the relationship between the LOL clause and the indemnification clause together determine the actual liability profile of the agreement.
The Structure of a LOL Clause
A well-formed limitation of liability clause addresses three things: (1) the exclusion of consequential and indirect damages, (2) a cap on aggregate direct damages, and (3) carve-outs from both the exclusion and the cap for specified obligation types.
Each of these elements has a mutual versus unilateral dimension — they may apply equally to both parties, or they may apply differently (or only) to one party. That distinction is where most LOL clause analysis should begin.
Consequential Damages Exclusion
The consequential damages exclusion prevents either party from recovering lost profits, loss of business opportunity, and similar indirect economic losses arising from a breach. This exclusion is commercially standard in most B2B commercial agreements, and both parties typically accept a mutual exclusion without significant negotiation.
What varies is the scope of the exclusion. Language that excludes "indirect, incidental, special, punitive, consequential, or exemplary damages" is a broad exclusion. Language that narrows this to "consequential damages" without the broader enumeration can leave punitive damages and other categories available, which may or may not matter depending on the risk profile of the engagement.
The more important variation is the carve-out list. A consequential damages exclusion with a carve-out for "damages arising from a party's indemnification obligations" is standard — indemnification is separately structured and should not be subject to the consequential damages bar. A consequential damages exclusion with no carve-out for confidentiality breaches, data breaches, or IP infringement is a red flag for any agreement involving material data sharing or proprietary IP, because those are the breaches most likely to produce consequential losses.
Direct Damages Cap: Amount and Calculation
The aggregate direct damages cap limits the total amount either party can recover for contract breaches over the life of the agreement. The standard commercial position is a mutual cap at the fees paid in the twelve months preceding the claim.
Variations to flag:
Cap amount materially lower than fees paid: some vendor forms cap aggregate liability at a fixed dollar amount rather than fees paid. If that fixed amount is lower than what the customer has paid or will pay, the cap is effectively giving the vendor a floor on its liability below the fees the customer has contributed. A vendor who receives $500,000 in annual fees should not have its liability capped at $100,000 — that creates a perverse incentive structure.
Unilateral caps: the vendor's liability is capped; the customer's is not. Or more subtly: the caps are both present but the excluded categories under each cap differ, such that the vendor has meaningful protection while the customer's exposure under the excluded categories is larger. Read mutuality at the level of the full provision, not just the cap amount.
Aggregate lifetime versus annual reset: an aggregate cap that accumulates across the full agreement term without reset is materially different from an annual cap in long-term agreements. A five-year agreement with an annual fee of $300,000 has an aggregate lifetime damages cap of $300,000 under a non-resetting structure — which is approximately one-fifth of the exposure that would exist under an annual-reset cap of the same amount.
Carve-Outs: What Is Excluded from the Cap
Carve-outs are where the real structuring happens. Standard market carve-outs from both the consequential damages exclusion and the direct damages cap typically include: gross negligence and willful misconduct, IP indemnification obligations, confidentiality breaches, death or personal injury claims, and sometimes data breach and data security incidents.
The carve-out list reflects the categories where uncapped liability is commercially appropriate — the breaches serious enough that a damages cap would create moral hazard by shielding a party from the full consequences of its conduct.
The asymmetry to watch for: carve-outs that are structured differently for each party. The vendor's IP indemnification obligation is carved out — meaning uncapped. The customer's payment obligations are carved out. These are both standard. But if the customer's data breach liability is also carved out while the vendor's data breach liability remains subject to the cap, the parties have materially different exposure profiles for what is often the highest-probability high-severity incident in a data-sharing relationship.
We're not saying all LOL asymmetry is wrong. Asymmetric carve-outs can reflect legitimate differences in each party's role and risk. A vendor with custody of customer data has different data security obligations than a customer who provides that data; uncapped vendor liability for data breaches may be more commercially appropriate than uncapped customer liability for the same. The point is to evaluate the asymmetry explicitly rather than accepting it because the language appears standard.
The LOL–Indemnification Interaction
Limitation of liability clauses do not function in isolation — they interact directly with indemnification provisions, and the interaction determines the actual recovery available in the breach scenarios that matter most.
The standard structure: indemnification obligations are carved out from both the consequential damages exclusion and the direct damages cap. Indemnification provides recovery for third-party claims (IP infringement by a third party, data breach claims by third parties) that is separate from and not subject to the bilateral liability limits between the parties themselves.
The structural problem that appears in some vendor paper: indemnification is present, but the carve-out from the LOL cap either does not exist or is narrowly scoped. In practice, this means that the indemnification provision offers a remedy in principle but the LOL cap limits what is actually recoverable if the indemnification obligation is triggered. The provisions appear to work together; they do not.
The test: in the scenario where the vendor's product infringes a third-party patent and the customer faces a claim, what is the customer's maximum recovery from the vendor? If the answer is "the indemnification obligation is triggered but subject to the LOL cap," the customer's practical recovery may be insufficient to cover the third-party claim. If the answer is "the indemnification obligation is carved out from the LOL cap entirely," the customer has appropriate protection for this scenario.
Reviewing LOL Provisions in Practice
When we configure LOL review rules in Repovyn, we treat the provision as six separate checkable elements rather than one:
- Consequential damages exclusion — present and mutual?
- Carve-outs from consequential damages exclusion — present for at minimum IP, gross negligence, and data breach?
- Direct damages cap — present and at what calculation basis?
- Cap mutuality — does it apply to both parties equally?
- Cap carve-outs — what categories are excluded, and are they symmetric?
- LOL–indemnification interaction — is indemnification carved out from the LOL cap?
An agreement can score HIGH on element 4 (unilateral cap) while scoring OK on elements 1-3 and 5-6. That HIGH flag tells the reviewer exactly where the issue is and what to check in the counterparty's language, rather than flagging the entire LOL provision as problematic.
For teams reviewing vendor MSAs at volume, this decomposition is what makes LOL review efficient rather than exhaustive. Each element is a yes/no check against the playbook position. The reviewer does not need to reconstruct the analysis from scratch on each agreement; they need to identify whether each element is present and whether the counterparty's language on each element meets the playbook threshold.
The LOL clause is often the last clause in a commercial agreement, physically located at the back of the document in a section alongside general provisions and miscellaneous terms. That placement affects attention. A reviewer who has spent the most careful reading time on the operative provisions — scope, fees, IP — may have less attention remaining when they reach the LOL section. Systematic clause review addresses this directly: the LOL check happens regardless of where the clause sits in the document, and it applies the same analytical framework whether the agreement is the first of the day or the fifteenth.