UK SaaS liability reviewCaps, carve outs and indemnitiesBefore signature, renewal or redline

HomeSaaS Contract Review UKSaaS Liability Caps and Indemnities

SaaS Liability Caps and Indemnities (UK)

In a SaaS contract, the clause that usually decides who carries the real financial risk is rarely the price point or the demo. It is the combined effect of the liability cap, indemnities, exclusions of loss, service credits and any carve outs that sit outside the cap.

A supplier can promise security, continuity and compliance, then limit recoverable loss to 12 months of fees or ask the customer for an open ended indemnity for uploaded data or breach of law. Under UK law these provisions are often enforceable, but the result depends on the drafting and the wider contract stack. If you want the broader supplier paper first, start with SaaS contract review UK or a fast contract risk check.

Vordex reads the liability clause, indemnity clause, DPA, security schedule, SLA and order form together. You get clause analysis, risk tags and plain English explanations so you can decide whether to sign, negotiate or escalate before you accept a low cap, a refund only IP remedy or a customer indemnity that runs wider than the risk you control.

Why it matters Contract stack Cap checklist Indemnity checklist Clause insight UK context How AI helps FAQ

Analyse Your Contract with AI Review Your Contract for £7.99 Analyse Complex Contracts for £17.99

Cap and carve out mappingSee the exact wording that decides the real exposure.

Built for SaaS stacksDPA, SLA, security schedule and order form read together.

Plain English negotiation viewFast answers before procurement approval, signature or redline.

UCTA 1977 UK GDPR Article 28 UK GDPR Article 82 ICO processor contract terms NCSC SaaS security

FeaturesPricingSecurity overviewFAQs

Decision support, not legal advice. For public sector deals, regulated workloads, active disputes, unusual insurance issues or genuinely high value cross border SaaS transactions, take qualified legal advice.

Review snapshot

Where financial exposure usually turns

Customer-side risk view

Document set

Main agreement, SLA, DPA, security schedule and order form

Focus

Cap size, carve outs, claims control and IP or data indemnities

00:06

General liability capped at fees paid in the previous 12 months

00:12

Customer indemnity covers any and all claims arising out of customer data or use of the service

00:18

Supplier IP remedy ends with modify, replace or refund unused fees

00:24

Service credits are the sole and exclusive remedy for uptime failure

Escalate the review if

1. The pack is layered or negotiated

Higher risk often sits across several documents, negotiated carve outs, DPAs, SLAs, security schedules or online terms.

2. The service is business critical or regulated

A low fee based cap becomes much more serious when the tool sits inside finance, payroll, customer operations, security or regulated data handling.

3. The customer indemnity is wider than the customer control

An open ended data, use or breach of law indemnity can shift exposure far beyond the deal value before anyone notices it internally.

Review focus

What a serious risk allocation review should surface

Built for live contract decisions

Cap basis

What the number is tied to, whether it resets and whether the fee base has any real connection to the loss that matters.

Carve outs

What sits outside the general cap, which liabilities are super capped and whether that matches real risk control.

Claims control

Who gives notice, runs the defence, chooses counsel, approves settlement and funds cooperation in a live claim.

Sole remedy traps

Whether service credits, refund only IP remedies or narrow transitions strip away the practical value of the wider clause package.

Why liability caps and indemnities matter more than the headline price

In SaaS, the subscription fee can be modest while the operational dependency is high. The clause family that decides who writes the cheque when something goes wrong deserves first review, not last.

The one minute answer

Start here

A liability cap sets the ceiling on what one party can recover from the other for covered claims. An indemnity reallocates defined risk and often deals with third party claims, defence costs, settlements and judgments.

The hard question is not whether the contract includes both clauses. It is whether the indemnity is capped, whether it sits outside the cap, who controls the claim, what losses are excluded and whether the wider agreement quietly reduces the remedy to service credits or a refund of unused fees.

What is the cap tied to?
Is it aggregate, per claim or rolling?
Which losses are excluded?
What sits outside the general cap?
Do service credits or refund only remedies wipe out the real claim?

Why customers and suppliers both misread this area

Commercial mismatch

Customers often ask only what the cap is and not what sits outside it. Suppliers often accept indemnity wording that sounds ordinary until someone compares it with the actual insurance or the risks the customer really controls.

Both mistakes come from reading the heading instead of the full risk design. If service credits, carve outs, DPA obligations and remedy mechanics are not read together, the contract is still only half understood.

If the real pressure point is wider supplier paper rather than liability wording alone, compare this page with SaaS contract review UK and SaaS contract termination and renewal.

The fee is small, but the loss is not

High impact

A payroll, billing, CRM, support or security platform can sit at the centre of a critical workflow even when the annual subscription is modest. If the service fails, a breach happens or a hurried migration is forced, the downstream cost can run far beyond the fee base.

That is why a cap tied to 12 months of fees may look ordinary on paper and still be commercially thin in practice.

An indemnity can look generous and still be weak

Often missed

A supplier may promise to indemnify the customer for IP claims, but if total liability is capped at one subscription year or the remedy ends with modify, replace or refund unused fees, the protection can collapse when disruption starts.

The existence of an indemnity matters less than whether it covers real claims, real costs and a real transition if the tool cannot continue in service.

The customer can become the insurer of the whole platform

High impact

Broad customer indemnities for claims arising out of customer data or use of the service can reach far beyond clearly unlawful uploads or instructions. Loose causation language can push product risk, security design issues or regulatory spillover back onto the buyer.

If the trigger is broad and the cap does not protect you, the contract can shift exposure far beyond what the pricing ever suggested.

Service credits can swallow the real claim

Often missed

A downtime credit is not the same as compensation for incident response, migration spend, consultancy time or a forced re procurement exercise. Small credits help with small failures. They do very little when the platform is embedded in a core operation.

If service credits are exclusive and the general cap is low, the contract may leave almost no practical recovery route.

Read the full clause stack, not one heading at a time

Liability and indemnity risk rarely sits in one place. The decisive wording is usually spread across the full supplier stack.

Document	What usually hides there	Why it matters
Limitation of liability clause	The general cap, any higher cap, excluded loss categories, payment obligations outside the cap and wording tied only to fees paid in the previous 12 months.	The cap headline can look manageable while the real exposure is driven by carve outs, exclusions and the mismatch between price and operational dependence.
Indemnity clause	Supplier IP cover, customer data or use indemnities, breach of law wording, settlements, defence control and whether the indemnity sits inside or outside the cap.	This is often the clause that decides who pays when a defined problem becomes a third party claim, legal bill or settlement demand.
SLA and service credits	Sole remedy wording, chronic failure triggers, refund only language and the difference between response times and an actual fix.	A customer can lose the right to meaningful damages if service credits quietly become the only remedy for serious operational failure.
DPA and security schedule	Processor obligations, sub processor controls, breach support, audit information, end of contract return or deletion language and overseas access paths.	A low cap can look less comfortable once the DPA and security terms show how much data and breach response risk is really in play.
Order form and pricing schedule	The fee base used to measure the cap, affected order form language, committed spend and a price that does not reflect the importance of the service.	A cheap contract can still support expensive failure. The fee base usually protects vendor economics, not necessarily customer risk.
Linked product terms and policies	Acceptable use restrictions, online updates, refund only IP remedies, open source notices and rights buried in web terms that the commercial team never compared.	Some of the sharpest limitations sit outside the clause heading everyone focused on during negotiation.

SaaS liability cap checklist: what to review before you accept the number

The cap headline is only the start. What matters is how the cap is measured, how it works over time, what losses are excluded and which liabilities escape it completely.

What is the cap tied to?

Cap review

The first question is not whether the contract has a cap. It is what the cap is measured against. Many SaaS templates tie it to fees paid in the previous 12 months, the current subscription year or the affected order form only.

That may be commercially acceptable for a low impact tool. It can be badly misaligned for software sitting inside payroll, billing, customer support, finance or regulated personal data processing.

Check whether the cap is tied to historic fees, current year fees or a single order form.
Check whether the fee base has any sensible relationship to the loss event that matters most.
Check whether a low price is disguising a high dependency on the service.

Is the cap aggregate, per claim or rolling?

Cap review

A single aggregate cap is usually tighter than it first appears because every ordinary claim burns down the same pot. A per claim cap or a cap that resets each contract year can be materially different, but only if the drafting actually says so.

If the clause is silent, do not assume the cap refreshes just because the subscription renews.

Check whether the cap is one aggregate amount for the whole term.
Check whether a claim in year one reduces protection in year two.
Check whether the cap wording truly resets or only the contract price does.

Which losses are excluded?

Cap review

Suppliers often exclude indirect or consequential loss, loss of profits, loss of revenue, loss of goodwill, loss of anticipated savings and loss of data. The practical mistake is stopping at the label without checking whether the losses you would actually care about have been blocked.

Migration spend, incident response costs, consultant time, restoration work and re procurement costs should not be left to hopeful reading if they matter to the business.

Check whether loss of data is excluded without any restoration or export support.
Check whether migration, restoration and incident costs are expressly recoverable or effectively blocked.
Check whether the exclusions conflict with the SLA, DPA or security schedule.

What sits outside the general cap?

Cap review

The carve out sentence often decides the real deal. Payment obligations are commonly outside the cap. IP indemnities are often pushed higher or left uncapped. Some suppliers also try to keep broad customer indemnities outside the cap altogether.

A fair question is simple. If a liability sits outside the cap, which party actually controls the risk that triggers it?

Check whether supplier IP liability is uncapped, super capped or quietly limited by other wording.
Check whether customer data, use or breach of law indemnities sit outside the cap.
Check whether confidentiality, data protection or fraud carve outs are precise or open ended.

Are service credits or refund only remedies swallowing the claim?

Cap review

A low cap becomes even thinner if the SLA says service credits are the sole and exclusive remedy for downtime or performance failure. A supplier IP indemnity can also become commercially weak if the supplier can exit with a refund of unused fees and nothing more.

The words sole, exclusive and unused fees deserve immediate attention because they can strip away the practical value of the wider clause package.

Check whether chronic failure or security incidents still escape any sole remedy wording.
Check whether a refund of unused fees is the only meaningful IP remedy.
Check whether the contract preserves termination and transition leverage when the remedy fails in practice.

Does the cap fit the service and the insurance?

Cap review

A cap should be tested against the real dependency on the service and against the cover the parties actually hold. A clause can look balanced in negotiation and still sit badly outside the relevant insurance.

The smarter review asks what loss scenarios would hurt most, what cover responds and whether the contract allocates those risks at a level the business can survive.

Check professional indemnity, cyber or technology cover against the actual wording being agreed.
Check retentions, exclusions and contractual assumptions of liability before accepting uncapped language.
Check whether separate caps for different risks would fit the deal better than one flat number.

Indemnities: where SaaS contracts really shift risk

An indemnity is not just a different label for damages. It is usually the clause that decides who funds the claim, who controls the defence and whether the party at risk has a remedy that works in practice.

Supplier IP infringement indemnity

Indemnity review

This is the classic SaaS indemnity. The customer wants the supplier to stand behind the proposition that the service can be used without triggering third party IP claims.

The real questions are whether it covers actual claims, legal costs, settlements and judgments, and whether the exclusions are limited to sensible points such as customer modification or use outside the documentation.

Check that the clause covers defence costs, settlements and judgments for third party claims.
Check that exclusions are narrow and linked to risk the customer really controls.
Check what transition help is owed if the supplier modifies, replaces or withdraws the service.

Customer data, content and use indemnity

Indemnity review

Some customer side indemnity is commercially fair if the customer uploads unlawful material, gives unlawful instructions or misuses the platform. The problem is overreach. Broad drafting can turn the customer into the insurer of the whole service.

Phrases like any and all claims arising out of customer data or use of the service are much wider than most buyers expect when the deal value is agreed.

Limit the trigger to unlawful content, unlawful instructions or misuse by the customer.
Prefer to the extent caused by over broader causation language where possible.
Exclude loss caused by supplier breach, negligence or insecure design.

Data protection, security and sub processors

Indemnity review

Teams often assume the DPA solves data liability on its own. It does not. If the supplier is a processor, Article 28 terms, sub processor controls, breach support and end of contract duties must line up with the main liability language.

Article 82 compensation exposure and sub processor liability make it risky to read the DPA and the main cap in isolation from one another.

Read the DPA, security schedule and main agreement together, not one at a time.
Check whether the supplier remains responsible for the sub processor chain in a way the contract actually reflects.
Check whether overseas access or support locations create extra transfer and incident response risk.

Claim control, settlement and cooperation

Indemnity review

An indemnity without claim mechanics is half drafted. The clause should say who gives notice, who controls the defence, who chooses counsel, when settlement consent is needed and what cooperation is required.

Procedural imbalance can turn a protective clause into a dispute trigger long before the underlying claim is resolved.

Set out notice, defence control and settlement consent clearly.
Avoid drafting that lets one side spend freely while the other pays later.
Check whether mitigation duties and information sharing obligations are mutual and workable.

Remedy mechanics and transition support

Indemnity review

Indemnity value is often lost in the remedy section. A supplier may reserve the right to modify the service, replace it or terminate and refund unused fees. That is not always enough where migration is difficult or the tool is operationally central.

A small refund can be commercially trivial compared with the cost of moving off a deeply embedded system under pressure.

Check whether the customer gets time to transition if the service has to change or stop.
Check whether migration support is included, optional or omitted entirely.
Check whether the clause preserves third party claim cover even if the supplier exits the service.

Insurance alignment

Indemnity review

One of the most common review problems is not abstract law but insurance mismatch. A business may hold professional indemnity, cyber or technology cover and still sign indemnity wording that goes further than the policy responds to.

Limitation and indemnity wording should be checked against real cover, not against assumptions made during procurement.

Check policy scope, retentions and excluded categories before accepting broad indemnity language.
Check whether the contract assumes liability the insurer treats as uninsured.
Check whether the business could absorb the retained risk if the indemnity is called.

Risk the supplier usually controls

Supplier side

A fairer contract keeps supplier side exposure with the supplier where the supplier controls the design, hosting, personnel, code base, sub processor chain and security architecture.

Service design, code base and IP ownership.
Provider personnel, hosting choices and the sub processor chain.
Security architecture, privileged access and incident response design.
Open source choices, product roadmap changes and feature withdrawals.
How the service is monitored, patched and supported in day to day operation.

Risk the customer usually controls

Customer side

Customer side exposure is more defensible where the customer controls the lawfulness of the data, the instructions given, the local configuration choices and any clear misuse of the platform.

The lawfulness of uploaded data and the instructions given to the supplier.
Use outside the documentation, unlawful misuse and local configuration choices.
Customer side permissions, role mapping and internal access governance.
Out of scope integrations, downstream use and local operational workarounds.
The customer's own breach of law or clearly defined use restrictions.

Shared responsibility, not blurred responsibility

The contract should follow control of the risk

Allocation principle

SaaS is a shared responsibility environment, especially on security and data handling. That does not justify blurred drafting. A weak contract makes one party pay for risk the other party controls. A better contract matches the clause to the facts and the facts to the party best placed to prevent the loss.

Clause by clause insight: what the wording means in real life

Labels do not tell the full story. These are the phrases that often look routine but carry most of the practical leverage.

01"Supplier's total aggregate liability shall not exceed fees paid in the 12 months preceding the claim"

What it means: One low number may govern almost every ordinary claim. A modest annual fee can still sit beneath a large operational dependency.

What to negotiate: Ask whether the cap should be higher, reset, apply per claim or be separated for data, confidentiality, security or IP risk.

02"Customer shall indemnify Supplier against any and all claims arising out of Customer Data or use of the Service"

What it means: The customer may be covering far more than clearly unlawful content or instructions. The wording can sweep in claims only loosely connected to customer conduct.

What to negotiate: Narrow the trigger, tie it to actual customer fault and exclude loss caused by supplier breach, negligence or insecure design.

03"Service credits are the sole and exclusive remedy"

What it means: Serious failure may be reduced to a billing adjustment rather than a meaningful damages or exit route. That matters even more where the general cap is already low.

What to negotiate: Preserve other remedies for chronic failure, security incidents, material breach and any issue that makes the service commercially unusable.

04"Supplier's sole obligation under this indemnity is to modify, replace or terminate and refund unused fees"

What it means: The supplier may be able to solve a major IP problem with a small refund, even where the customer faces significant migration cost and disruption.

What to negotiate: Keep third party claim cover alive and ask for transition support, migration time and a remedy that does more than refund the remaining subscription.

05"All indemnity obligations are excluded from the liability cap"

What it means: The cap may not protect the party giving the indemnity at all. That can be defensible for a narrow supplier IP indemnity. It is much harder to justify for a broad customer use or data indemnity.

What to negotiate: Specify which indemnities sit outside or above the cap and why, instead of accepting a blanket carve out.

06"Neither party shall be liable for any loss of data"

What it means: The contract may block the very loss scenario that mattered most. In SaaS, data loss is rarely just a missing spreadsheet. It can include logs, attachments, configuration and restoration effort.

What to negotiate: Define what data related loss is excluded, what restoration help is promised and whether migration, re build and incident costs remain recoverable.

UK legal context and what a fairer position usually looks like

The core review questions stay consistent, but the legal lens changes depending on whether the deal is business to business or consumer facing, how the processor chain works and where support or access sits.

Business to business SaaS and UCTA

Legal context

Limitation and exclusion clauses are common in business SaaS and often enforceable, but UCTA still matters. Liability for death or personal injury caused by negligence cannot be excluded, and other limits can face the reasonableness test, especially where one side deals on the other's written standard terms.

Takeaway: Market standard wording is not the same thing as a fair or durable position for this deal.

Consumer facing SaaS and the CRA

Legal context

If the product is sold to consumers rather than a business, the review lens becomes stricter. Digital content standards, fairness rules and the practical enforceability of the liability structure deserve a different and more demanding assessment.

Takeaway: A cap or indemnity framework that might survive in negotiated business paper can look very different in a consumer contract.

Processor duties, sub processors and Article 82

Legal context

If the supplier processes personal data for the customer, Article 28 style terms are not optional and sub processor controls matter. Article 82 compensation exposure means the DPA, security schedule and main liability clause should be read as one package, not as separate admin documents.

Takeaway: Data protection risk allocation works only if the processor terms, the cap and the indemnity point in the same direction.

Overseas access and the wider UK picture

Legal context

The core statutory points discussed here apply across England and Wales, Scotland and Northern Ireland, but forum, governing law, enforcement cost and overseas support structures still affect practical leverage. Restricted transfer questions can arise where personal data is made accessible to a separate organisation outside the UK.

Takeaway: The law may be broadly UK wide, but geography still changes bargaining power, enforcement friction and transfer risk.

What a fairer customer side position usually looks like

Balanced drafting

There is no single magic clause, but balanced SaaS paper usually separates ordinary breach risk from special risk and keeps each party carrying the exposure it is actually placed to control.

A general cap that reflects the seriousness of the service, not just a token multiple divorced from the real dependency.
A higher or separate cap for confidentiality, data protection or security where those risks are central to the deal.
A supplier IP indemnity that covers real third party claims and is not reduced to a token refund.
A customer indemnity limited to unlawful content, unlawful instructions or misuse, and only to the extent caused by that conduct.
A clear claim process with notice, defence control, settlement consent and workable cooperation rules.
Service credits that do not erase other remedies for chronic failure, material breach or serious security issues.
A risk position that has actually been checked against the parties' real insurance.

Common mistakes buyers and sellers make

Avoidable errors

Most liability and indemnity problems are not novel. They come from rushed review, poor cross document reading or assumptions that standard supplier paper must be acceptable because it is common.

Treating the cap figure as the only question and ignoring carve outs.
Accepting any and all losses language without defining the loss categories properly.
Letting arising out of wording sweep in loss only loosely connected to the customer's conduct.
Missing the link between the main agreement, the SLA, the DPA and the security schedule.
Assuming cheap software means cheap risk.
Ignoring the sub processor chain and overseas access arrangements.
Agreeing a position the insurance does not actually support.

How to negotiate these clauses without stalling the deal

Negotiation priorities

The fastest way to negotiate caps and indemnities is not to argue every sentence in the abstract. It is to rank the real loss scenarios first, then align the drafting to those scenarios.

Rank the worst loss scenarios first, usually IP claims, data or security incidents, and prolonged service failure or forced migration.
Ask what sits inside the general cap, what sits outside it and why.
Replace broad causation language with narrower wording where possible.
Make the claim process explicit instead of leaving defence control and settlement to implication.
Check the clause against the real DPA, hosting model, support locations and insurance position.
If the service is business critical, ask for different caps for different risks instead of one flat number that fits none of them well.
If the supplier will not move, make the risk visible internally before approval rather than burying it in procurement noise.

How Vordex reviews SaaS liability caps and indemnities

Liability problems are rarely one line problems. They are interaction problems. That is exactly where AI review is strongest.

Step 1

Upload the whole SaaS pack

Add the order form, main agreement, SLA, DPA, security schedule, linked terms and any negotiated redlines together. Liability and indemnity problems are usually cross document problems.

Step 2

Map the cap, the carve outs and the indemnity triggers

Vordex identifies the general cap, any higher cap, uncapped carve outs, excluded loss categories, service credit traps, defence control wording and the points where the indemnity sits inside or outside the cap.

Step 3

Compare the main agreement against the DPA, SLA and order form

You see where the customer promise, the security promise and the remedy package do not line up, including refund only IP language, missing transition support and hidden cross references.

Step 4

Decide whether to sign, negotiate or escalate

The point is not a vague memo. It is a clear commercial decision on whether the risk allocation is safe enough to accept, which amendments matter and what genuinely justifies solicitor time.

AI first, solicitor second

A lawyer adds the most value where the contract is heavily negotiated, regulated, public sector, cross border, unusually high value or already moving into dispute. AI adds value earlier by triaging the pack, surfacing the clauses that matter and narrowing the issues that genuinely justify specialist time.

Analyse Your Contract with AI See Pricing

Why reviewing caps and indemnities before signature saves money

The expensive part of a weak SaaS risk package is rarely the subscription price. It is the third party claim, the migration bill, the incident response cost or the customer indemnity that was never priced into the deal.

Analyse Your Contract with AI

Free first look

Use AI when the contract is live and you need immediate visibility on caps, carve outs, indemnity triggers, claim control wording and service credit traps.

Immediate first pass on the contract stack.
Useful when the real question is whether the risk package is safe enough to sign.
Good starting point before deeper review or escalation.

Analyse Your Contract with AI

Review Your Contract

£7.99

Use the £7.99 review for standard SaaS paper where the main question is whether the general cap, carve outs, service credits and standard indemnities are acceptable or need a short amendment list.

Best for more straightforward SaaS supplier paper.
Clause analysis, risk flags and plain English explanations.
Designed to give a proportionate first pass without delay.

Review Your Contract for £7.99

Analyse Complex Contracts

£17.99

Use the £17.99 review when the real risk sits across the full pack: master terms, DPA, SLA, security schedule, negotiated redlines, unusual data flows or business critical dependency.

Suitable for layered SaaS packs with negotiated wording.
Useful where liability and indemnity risk is spread across several documents.
Built for higher stakes compliance, security and migration exposure.

Analyse Complex Contracts for £17.99

FAQ

What is a liability cap in a SaaS contract?

A liability cap sets the maximum amount one party can recover from the other for covered claims under the agreement. In SaaS, the cap is often tied to fees paid in the previous 12 months or the current subscription term, which is why customers need to test whether that figure matches the real business dependency.

Are SaaS liability caps enforceable in the UK?

Often yes in business to business SaaS, but not without scrutiny. Liability for death or personal injury caused by negligence cannot be excluded, and other exclusions or limits can face the UCTA reasonableness test, especially on written standard terms.

What is the difference between an indemnity and ordinary damages?

Ordinary damages usually follow a breach claim between the contracting parties. An indemnity is a promise to reimburse defined loss when a stated event occurs, often including third party claims, defence costs, settlements and judgments. That is why a broad indemnity can create more exposure than an ordinary breach claim.

Can an indemnity sit outside the liability cap?

Yes, and that is often the most important commercial point in the clause. A narrow supplier IP indemnity may sit outside or above the general cap. A broad customer data or use indemnity outside the cap can be far harder to justify.

Should IP infringement liability be uncapped?

Not automatically. The better question is whether the supplier controls the code base, whether the indemnity covers real third party claims and whether the remedy is meaningful in practice. A refund only answer may be too weak for a business critical tool, but unlimited liability is not the only possible position.

Should data protection liability be uncapped?

There is no universal rule. Many teams prefer a higher dedicated cap or a carefully defined carve out rather than unlimited exposure across every data related issue. The sensible answer depends on the role of the service, the data involved, the sub processor chain and the actual incident costs the parties are trying to allocate.

Are service credits enough protection?

Usually not for serious failure. Small service credits may work for minor SLA misses, but they rarely cover chronic failure, a security incident, third party claims, migration spend or consultant time needed to stabilise operations.

What if the supplier's support team is overseas?

Then overseas access, sub processor chains and UK transfer rules need proper review. Restricted transfer questions can arise where personal data is made accessible to a separate organisation outside the UK, not only where data is actively sent abroad.

Does this page apply across England, Wales, Scotland and Northern Ireland?

Yes. The core statutory themes discussed here apply across the UK. The practical differences are usually governing law, forum, enforcement cost and bargaining leverage rather than the basic existence of caps, indemnities, processor obligations or transfer rules.

Can AI review liability caps and indemnities accurately?

For standard and moderately complex SaaS contracts, yes. AI is especially useful for finding the cap, carve outs, indemnity triggers, claim control wording and cross document inconsistencies. It is strongest as a first pass that narrows what genuinely needs human legal time.

Do I still need a lawyer?

Sometimes. Escalate if the deal is heavily negotiated, regulated, public sector, cross border, unusually high value, already disputed or tied to especially sensitive data or unusual insurance issues. For routine and mid weight supplier paper, AI is often the quickest proportionate first pass.

How much does contract review cost?

Vordex offers a free AI first look, a £7.99 review for more standard SaaS paper and a £17.99 complex review when the risk sits across a master agreement, DPA, security schedule, negotiated redlines, unusual data flows or business critical dependency.

Why liability caps and indemnities matter more than the headline price

The one minute answer

Why customers and suppliers both misread this area

The fee is small, but the loss is not

An indemnity can look generous and still be weak

The customer can become the insurer of the whole platform

Service credits can swallow the real claim

Read the full clause stack, not one heading at a time

SaaS liability cap checklist: what to review before you accept the number

What is the cap tied to?

Is the cap aggregate, per claim or rolling?

Which losses are excluded?

What sits outside the general cap?

Are service credits or refund only remedies swallowing the claim?

Does the cap fit the service and the insurance?

Indemnities: where SaaS contracts really shift risk

Supplier IP infringement indemnity

Customer data, content and use indemnity

Data protection, security and sub processors

Claim control, settlement and cooperation

Remedy mechanics and transition support

Insurance alignment

Risk the supplier usually controls

Risk the customer usually controls

The contract should follow control of the risk

Clause by clause insight: what the wording means in real life

UK legal context and what a fairer position usually looks like

Business to business SaaS and UCTA

Consumer facing SaaS and the CRA

Processor duties, sub processors and Article 82

Overseas access and the wider UK picture

What a fairer customer side position usually looks like

Common mistakes buyers and sellers make

How to negotiate these clauses without stalling the deal

How Vordex reviews SaaS liability caps and indemnities

Upload the whole SaaS pack

Map the cap, the carve outs and the indemnity triggers

Compare the main agreement against the DPA, SLA and order form

Decide whether to sign, negotiate or escalate

Why reviewing caps and indemnities before signature saves money

Analyse Your Contract with AI

Review Your Contract

Analyse Complex Contracts

Related Vordex pages for connected SaaS and contract issues

Wider SaaS and supplier paperwork

Keep the legal problem in the right lane

FAQ