Carve-outs from the liability cap: the clauses that matter most

The dollar figure on a limitation of liability cap gets most of the attention in a negotiation. "One times fees, two times fees, a fixed $1M floor", that's where the back-and-forth usually happens. But the number is only half the story. The other half is the list of exceptions: categories that sit outside the cap, where either a higher ceiling or no ceiling applies.

These are the liability cap carve-outs, and they often matter more than the cap itself. A customer with a $100K cap and aggressive carve-outs for data breach, IP indemnification, and confidentiality has meaningful recourse in exactly the scenarios that produce large losses. A customer with a $5M cap and no carve-outs can still be left exposed if the worst-case loss falls into a category that routes outside the standard recovery framework.

This is a walkthrough of how liability cap carve-outs work, the categories that typically get carved out, and what the carve-out language quietly allocates.

What a carve-out actually does

A carve-out is a sentence (or list) inside the Limitation of Liability clause that says: this cap does not apply to the following categories. The effect is that claims in the carved-out categories are either:

• Uncapped, subject to no dollar ceiling at all.
• Super-capped, subject to a higher, specifically-named ceiling that applies only to those categories.

A typical carve-out sentence looks something like: "The foregoing limitations shall not apply to: (a) Vendor's indemnification obligations under Section 10; (b) breach of confidentiality under Section 8; (c) a party's fraud, gross negligence, or willful misconduct; or (d) a party's payment obligations under this Agreement."

Four items, each doing specific work. The cap, whatever dollar figure it is, governs everything else. These four categories escape it.

Why carve-outs exist

Liability cap carve-outs exist because a single uniform cap can't accommodate the range of claims that can arise under a commercial contract. Some claims are small, routine, and well-bounded by a trailing-fees figure. Others are catastrophic, rare, and categorically different in risk profile. The cap works for the first; it doesn't work for the second.

Carve-outs are how contracts acknowledge that some losses shouldn't be forced into the standard cap framework at all, either because the potential harm is too large (data breach), because the legal system wouldn't enforce the cap anyway (fraud, gross negligence), or because capping the obligation would make the whole contract incoherent (payment obligations).

The short list of common carve-outs

Across hundreds of SaaS and services contracts, the carve-out list is remarkably consistent. Four categories show up over and over.

1. Indemnification obligations

The most common carve-out. If the vendor indemnifies the customer for third-party IP infringement claims (or the customer indemnifies the vendor for data-related claims), those indemnification obligations are usually carved out of the general cap. This matters because indemnified claims are the claims most likely to generate large, hard-to-quantify losses, patent litigation, regulatory enforcement, class actions. Capping them at 12 months of fees would make the indemnification largely cosmetic.

Carve-out structures vary:

• Fully uncapped indemnification. Whatever the claim costs, the indemnifying party pays. Most customer-friendly.
• Super-capped indemnification. A higher ceiling (2x-5x fees, or a fixed number) applies only to indemnification. Most common middle ground.
• Carved out but referenced elsewhere. The cap clause excludes indemnification, and a separate section sets a specific limit.

2. Confidentiality breach

If one party leaks the other's confidential information, trade secrets, pricing, roadmap, customer lists, the harm is often large and hard to measure. Most sophisticated contracts carve confidentiality breach out of the general cap. Sometimes it's fully uncapped; more often it's super-capped.

A wrinkle: the consequential damages exclusion (which sits separately in the clause) can also catch confidentiality losses, because confidentiality losses are often consequential in nature, lost business, reputational harm, competitive disadvantage. To be meaningful, a confidentiality carve-out sometimes needs to escape both the cap and the consequential exclusion. Reading the interaction between the two matters.

3. Fraud, gross negligence, and willful misconduct

Courts in most US jurisdictions won't enforce contractual limitations on liability for intentional or grossly negligent wrongdoing regardless of what the contract says, so this carve-out is often just restating the legal default. Still, making it explicit has two benefits:

• It removes ambiguity about whether the carve-out exists, which simplifies dispute resolution.
• It can narrow the carve-out (some contracts carve out only fraud, not gross negligence; this matters because the standards differ).

The definition of "willful misconduct" is worth reading carefully. Some contracts define it narrowly (only conscious disregard of a known duty); others use a broader formulation. The narrower the definition, the more the cap survives in litigation.

4. Payment obligations

Almost always carved out. The reasoning is simple: a contract where the customer's obligation to pay is capped at "12 months of fees paid" is a contract that can't enforce its own fee schedule. Payment obligations sit outside every cap in essentially every commercial contract.

Less common but meaningful carve-outs

Beyond the core four, a few additional carve-outs show up in more sophisticated deals:

Data breach and security incidents

Increasingly common as a standalone carve-out, separate from indemnification. The theory is that a data breach produces a mix of first-party costs (internal investigation, notification costs) and third-party claims, and the carve-out should cover both. Often super-capped rather than uncapped.

IP ownership warranties

Separate from the IP indemnification carve-out. A warranty that the vendor owns the code (or has rights to license it) is sometimes carved out because breach of that warranty threatens the entire deal's foundation. If the software turns out to be stolen, a 12-month fees cap is not a meaningful remedy.

Regulatory compliance

For vendors serving regulated industries (healthcare, finance, education), breach of specific compliance warranties (HIPAA, GLBA, FERPA, SOC 2) can be carved out. Usually super-capped.

Violations of law

A general "any claim arising from a party's violation of applicable law" carve-out sometimes appears. Broad, and often resisted by vendors because it can swallow too much.

Abandonment and willful cessation

In long-term or mission-critical contracts, a carve-out for the vendor's willful abandonment of service is occasionally negotiated. Rare, but meaningful for customers whose business depends on continuity.

How the carve-outs interact with other sections

A carve-out from the liability cap doesn't automatically carve the same claim out of other limitations in the Limitation of Liability clause. A few interactions worth understanding:

The consequential damages exclusion

The cap carves out the dollar ceiling. But most clauses have a separate exclusion for consequential damages (lost profits, lost revenue, lost data). A claim carved out of the dollar cap but still subject to the consequential exclusion is capped in a different way, the dollar figure is uncapped, but the categories of damage that can be recovered are narrowed.

Truly unrestricted liability requires carve-outs from both the cap and the consequential exclusion. Contracts that want to do this explicitly usually phrase it: "The limitations in this Section (including both the aggregate cap and the exclusion of consequential damages) shall not apply to..."

The mutual vs. one-way question

Carve-outs can be mutual or one-sided. Both parties can have their indemnification obligations carved out of the cap, or only the vendor's. Both parties can have confidentiality carved out, or only the customer's trade secrets. Asymmetric carve-outs are often the hidden asymmetry in an otherwise "mutual" looking clause.

Timing and survival

Most limitations of liability (including carve-outs) survive termination. A few don't. Reading the survival clause matters because claims often surface after termination, and a cap that doesn't survive can change the analysis entirely.

What a cap with no carve-outs actually means

Some contracts, especially SMB SaaS templates, click-through agreements, and free-tier terms, have limitation of liability clauses with no carve-outs at all. The single cap applies to everything, including indemnification and confidentiality breach.

When this happens, a few things are true:

• The indemnification is largely cosmetic. If the vendor indemnifies the customer for IP infringement but the total liability is capped at $10K, the customer gets $10K in defense costs and walks away.
• The confidentiality obligation has limited teeth. Even a deliberate leak is bounded by the cap.
• The contract is fundamentally SMB paper. This isn't necessarily wrong, it's appropriate for low-value, low-risk deals, but it's not enterprise-grade.

Identifying "cap with no carve-outs" quickly is a useful skill because it tells you where the contract sits on the risk-tolerance spectrum.

Common negotiation moves

Teams actively negotiating liability cap carve-outs tend to work several recurring levers:

• Carve out indemnification. The highest-value ask. If indemnification is subject to the standard cap, the indemnification is toothless. Pushing it out (or into a super-cap) is almost always worth the negotiation capital.
• Carve out confidentiality breach. Often granted, and often the difference between a confidentiality clause that matters and one that doesn't.
• Carve out data breach separately. Not always the same as indemnification, and worth its own line. Super-capped is usually a sufficient middle ground.
• Carve out from both cap and consequential exclusion. For categories where the losses are inherently consequential (confidentiality, data breach), carving only out of the cap is incomplete.
• Symmetrize the carve-outs. If only one party's obligations are carved out, the "mutual" limitation isn't mutual. Making carve-outs symmetric is a common cleanup.
• Narrow the fraud/gross negligence carve-out. Vendors sometimes want to limit this to "fraud" only, excluding gross negligence. Customers usually push for both. The outcome depends on leverage.

The bottom line

Liability cap carve-outs are the parts of the Limitation of Liability section that most negotiations underweight. The dollar cap is the headline number, but the carve-out list is what determines which claims actually hit that cap in practice.

A sophisticated contract has a clear three-tier structure: ordinary claims capped at the general cap, high-risk categories at a super-cap, and a narrow set of uncapped categories (fraud, willful misconduct, payment obligations). The categories that escape the cap are usually the categories most likely to produce real dollars in a dispute. Getting those categories placed correctly, and confirming that the carve-out escapes the consequential exclusion too where needed, is where most of the real risk allocation happens. The cap number is a placeholder. The carve-outs are the actual contract.