ContractHQ
Start
All posts
Clauses

Mutual vs one-way indemnification explained

Indemnification sounds symmetrical until you read the clause. A plain-language walkthrough of when mutual indemnification makes sense and when one-way is the honest framing.

By ContractHQ Team8 min read

Indemnification is the clause everyone claims to understand and almost nobody actually reads. At a high level, it's the part of a contract where one party agrees to defend and pay for claims brought by third parties against the other party. It's about external lawsuits, not disputes between the two contract parties themselves.

The first real decision point in any indemnification section is whether the obligation runs one direction or both. A one-way indemnification puts the obligation on a single party, usually the vendor. A mutual indemnification puts overlapping obligations on both sides. The two structures look superficially similar on the page, but the practical risk allocation is very different.

This is a walkthrough of what mutual indemnification actually means, when one-way is the more honest framing, and the patterns that show up across hundreds of SaaS and services contracts.

What indemnification actually covers

Before the mutual-vs-one-way question, it helps to be precise about what indemnification is for. Indemnification clauses typically cover three things:

  • The duty to defend, the indemnifying party pays for lawyers and runs the defense of the lawsuit brought by a third party.
  • The duty to indemnify, the indemnifying party pays any settlement or judgment.
  • The duty to hold harmless, the indemnifying party makes the other party whole for collateral losses tied to the claim.

Which third-party claims get picked up depends on the clause. The three most common triggers:

  • IP infringement, a third party sues the customer claiming the vendor's software infringes a patent, copyright, or trademark.
  • Data and privacy violations, a third party (often a regulator or individual) sues over a breach involving the vendor's systems.
  • Bodily injury / property damage, more common in services and hardware, less common in pure SaaS.

In each case, indemnification is about the external claim. It's not about what happens if the vendor and customer have a dispute with each other, that's governed by the rest of the contract.

One-way indemnification: the default in SaaS

In most SaaS contracts, the first draft is one-way: the vendor indemnifies the customer, typically for IP infringement claims brought against the customer arising from the customer's use of the vendor's software.

This is the honest default for a reason. The vendor built the software. If that software infringes someone else's patent, the customer didn't have the knowledge or control to prevent it, only the vendor did. Pushing that risk onto the vendor is economically rational; the vendor is the "cheapest cost avoider."

A typical one-way IP indemnification reads something like: "Vendor will defend Customer against any third-party claim that Customer's authorized use of the Service infringes any US patent, copyright, or trademark, and will indemnify Customer for any damages finally awarded..."

Notice what's in that sentence:

  • "Authorized use." Use outside the license scope is excluded.
  • "Third-party claim." Claims between vendor and customer don't trigger the clause.
  • "US patent." Geographic scope is often explicit, broader scopes are negotiated.
  • "Finally awarded." Settlements require the vendor's consent to be indemnified.

When it becomes mutual indemnification

Mutual indemnification means both parties carry indemnification obligations, each for a different category of claim. The two obligations don't need to be symmetric in subject matter; mutual just means both sides have one.

A common structure:

  • Vendor indemnifies Customer for: IP infringement by the Service.
  • Customer indemnifies Vendor for: Customer Data (its content, its legality, its right to use it); Customer's misuse of the Service; Customer's breach of law in how it uses the Service.

This is mutual because both parties owe indemnification, even though they cover different categories. It's the most common structure in mid-market SaaS once a real legal team looks at the contract.

The logic is symmetric to the one-way vendor IP indemnity: the customer controls what data it uploads and how it uses the tool. If the customer uploads stolen content and a third party sues the vendor, the customer is the cheapest cost avoider for that category, so the customer indemnifies.

One-way in the other direction

Occasionally the one-way runs the opposite way, the customer indemnifies the vendor with no reciprocal obligation. This is rare in software contracts but shows up in:

  • Professional services where the vendor performs on customer systems. The vendor might require indemnification from the customer for claims arising from the customer's data or environment.
  • Reseller and channel agreements. A reseller often indemnifies the original vendor for claims arising from the reseller's marketing or sales conduct.
  • Custom development or white-label deals. If the customer is specifying the feature set, they sometimes indemnify for IP claims arising from the spec they dictated.

When a one-way indemnity runs from customer to vendor with no reciprocal obligation, it's worth asking why, sometimes there's a good reason, and sometimes it's just leverage.

What mutual gets right

Mutual indemnification is often the right structure because the two parties are doing genuinely different things and each is best positioned to manage their side of the risk:

  • The vendor controls the code. If the code infringes, the vendor has the insurance, the legal expertise, and the practical ability to fix it.
  • The customer controls the data and the use. If the customer uploads infringing content or uses the tool to break the law, the customer has the insurance, the knowledge, and the ability to fix it.

A mutual clause forces each side to own what they control. The resulting contract is usually more defensible and more likely to survive a dispute without the "who owes whom" question collapsing the whole negotiation.

Where mutual indemnification goes wrong

That said, "mutual" can be a label that hides asymmetric economic exposure:

Asymmetric scope

The vendor's side covers "IP infringement by the Service." The customer's side covers "any claim arising out of Customer's use of the Service, Customer's data, Customer's breach of this Agreement, or Customer's violation of law." The second clause is dramatically broader. It looks mutual because both sides have an obligation, but the customer's obligation is a catch-all that sweeps in most realistic claims.

Asymmetric caps

Mutual indemnification with different caps isn't really mutual. If the vendor's indemnity is capped at $500K and the customer's is uncapped, the symmetry on paper is cosmetic.

Asymmetric carve-outs

Indemnification obligations usually carve out from the overall liability cap, meaning indemnified claims aren't subject to the standard liability ceiling. If only one party's indemnification is carved out, only one party's exposure is uncapped.

Reading a mutual indemnification clause means reading both directions and comparing: same scope? Same cap? Same carve-outs? If the answer is no to any of these, the clause is mutual in name only.

Standard exclusions to IP indemnification

Even a robust vendor-to-customer IP indemnification usually excludes certain scenarios:

  • Combination claims. The customer combined the vendor's software with third-party components, and the infringement only exists because of the combination.
  • Modifications. The customer modified the software, and the modification is what infringes.
  • Use outside scope. The customer used the software in violation of the license.
  • Use after notice. The vendor notified the customer to stop using an infringing version, and the customer kept using it.

These exclusions are standard and generally reasonable. They're also worth reading because broad combination-claim exclusions can effectively swallow the indemnity in integration-heavy environments.

The vendor's "remedy" options

Most IP indemnities give the vendor three options once a claim is brought:

  1. Procure the right for the customer to keep using the software.
  2. Modify the software so it no longer infringes.
  3. Terminate and refund (usually prorated).

Option 3 is the vendor's out. If the infringement is expensive to fix, the vendor can simply refund the remaining term and walk away, leaving the customer to find a replacement and eat any business disruption. Sophisticated customers sometimes cap option 3 as a last resort or require a grace period to transition.

Common negotiation moves

Teams negotiating indemnification tend to work a few recurring levers:

  • Expand IP indemnity scope. US patents only → worldwide patents, copyrights, trademarks, and trade secrets. Geographic and category expansions are the most common asks.
  • Carve indemnification out of the liability cap. Make indemnified claims uncapped, or subject to a higher "super-cap," so the indemnity actually has teeth beyond 12 months of fees.
  • Narrow the customer's return obligation. Tighten "any claim arising from Customer's use" to specific categories, customer data, customer's violation of law, customer's use outside license scope.
  • Symmetrize caps and carve-outs. If both sides indemnify, both sides' indemnities should have matching treatment under the liability cap.
  • Require notice and control. Specify that the indemnified party must promptly notify and give the indemnifying party control of the defense, otherwise the indemnification can be argued away post-hoc.

The bottom line

Mutual indemnification is usually the honest structure because each party controls different risks. But "mutual" on the label doesn't mean symmetric in the substance. The scope of each side's obligation, the cap treatment, the carve-outs, and the standard exclusions all need to line up, or the mutuality is cosmetic.

One-way indemnification isn't inherently unfair, it reflects the reality that one party did more of the thing being indemnified. The key is whether the direction of the obligation matches the direction of the control. Vendors build the code; customers control the data. Getting the indemnification to reflect that split is what the negotiation is actually about.

Legal notice

The content on this page is provided for general informational and educational purposes only. It does not constitute legal, tax, financial, or professional advice. No attorney-client, fiduciary, or other professional relationship is formed by reading this article, contacting ContractHQ, or using the ContractHQ product. Laws vary by jurisdiction and change over time; nothing here is a substitute for advice from a licensed attorney in your state or country. ContractHQ makes no representations or warranties regarding the accuracy, completeness, or timeliness of the information. You use this content at your own risk. If you have a specific legal question, consult a qualified attorney.

About the author

Unless explicitly stated otherwise, ContractHQ authors are not licensed attorneys. Bylines identify the writer, not a legal representative. Guest posts from licensed attorneys, when published, are clearly marked as such.

© 2026 ContractHQ. All rights reserved.