Liability 101: liability clauses in technology and outsourcing contracts

Global | Publication | September 2025

Liability is often a contentious topic (and typically the last provision to be agreed) in a technology or outsourcing contract negotiation. In a claim for losses suffered in connection with the contract, liability clauses can function as both a sword to the claimant and as a shield to the other party, if they are clearly drafted, by providing for:

The losses that can be claimed, and the circumstances as to when a party’s liability is unlimited (i.e. a sword to the claimant); and
The losses that cannot be claimed, and the maximum amounts for which a party can be responsible (i.e. a shield to the other party).

Focusing on English-law governed technology and outsourcing contracts, here we:

Provide an overview of what we typically expect to see in liability clauses.
Examine some key considerations in relation to such clauses.
Discuss the parties’ disparate interests in negotiating them; and
Highlight some recent market trends in the allocation of risk for liability in technology and outsourcing contracts. (We do not attempt to set out the law in general on liability clauses, as our intention is to focus on the parties’ respective commercial positions and current market norms).

Risk allocation
What goes into a liability clause?
Unlimited liability
Excluded losses
Financial caps on liability
Other considerations

Risk allocation

The purpose of a liability clause is to allocate risk. While the negotiations often centre around legal principles and drafting, risk is ultimately a commercial issue, the appetite for which is driven by commercial imperatives.

Each party will be seeking to minimise its own financial exposure under the contract, while at the same time ensuring that it has adequate recourse to the other party for potential losses.

Not necessarily reciprocal

A fair allocation of risk in a technology or outsourcing contract seldom results in reciprocal liability provisions for the simple reason that the parties’ individual risk profiles are typically fundamentally different.

For example:

A service provider is typically in a position to cause far greater damage to its customer than vice versa.
The customer’s main objective will be to maximise the service provider’s liability for technology or service failures and other breaches that could have a substantial impact on its business, regulatory standing or reputation (such as security incidents or breach of law).
The service provider, on the other hand, will want to limit its liability for providing (or failing to provide) the services as much as possible while maintaining the customer’s liability to pay for the services. Depending on the technology or services involved, it may also be concerned about its own potential losses resulting from misuse of its intellectual property, disclosure of proprietary information or claims from end users or other third parties interacting with its technology or services.

What goes into a liability clause?

How a business approaches the allocation of risk in a liability clause depends on a number of factors, ranging from the industry in which the parties operate, the governing law and the parties’ bargaining position.

The approach is likely to vary jurisdictionally. For example, in technology and outsourcing contracts governed by US law (or drafted by US parties), liability provisions may be drafted not as a series of exclusions, but rather, in the form of an indemnity allocating risk.

From an English law perspective, a liability clause in a technology or outsourcing contract typically includes the following provisions (it is worth noting that liability provisions may be scattered throughout the contract and are not always contained in a single “Liability” or “Limitation of liability” clause):

Unlimited liability: A clause providing for those instances where limitations and exclusions of liability are disapplied so that a party can be liable.
Excluded liability: A clause providing for the types of losses that cannot be claimed. (Sometimes this is accompanied by a so-called “assumed losses” clause, which sets out the kinds of losses that can be claimed); and
Financial caps: The maximum amounts that can be claimed from a party (except where its liability is unlimited).

We discuss each of these in turn.

Unlimited liability

“Nothing in this Agreement limits or excludes a Party’s liability for: … ”

This clause sets out the situations where the parties have agreed that neither party may rely on the financial caps and exclusions set out in the contract (including where the parties cannot limit or exclude liability as a matter of law):

Where the law prevents a party from limiting or excluding its liability: In the UK, the Unfair Contract Terms 1977 provides that liability cannot be limited or excluded for death or personal injury resulting from negligence (nor for certain breaches of the Sale of Goods Act 1979). As a matter of public policy, the common law sometimes also provides that liability cannot be limited or excluded (e.g., in the case of fraud in some circumstances). Where the law does not permit it, liability should not be limited or excluded, as otherwise there is a risk that the whole liability clause could be found to be unenforceable (especially where, because of the way it has been drafted, it is not possible for the court to “sever” the unenforceable part of the clause).
Negotiated positions: The parties may agree to disapply the financial caps and liability exclusions, reflecting the facts and the risks that arise under the contract. For example:
- In licences and other service contracts based on proprietary technology, the service provider may have uncapped liability for losses resulting from infringement of third-party intellectual property rights (which is usually framed as an uncapped indemnity given by the service provider).
- Providers of SaaS or cloud platforms may insist on their users accepting uncapped liability (also usually in indemnity form) for infringement of third-party rights or for breach of law caused by the data they upload to the platform.
- Amounts payable by the customer under the contract, such as the licence or service fees, are typically excluded from the ambit of the liability caps and exclusions. The customer may want the same principle to apply to amounts payable by the service provider, such as service credits or liquidated damages for delay, but this can be contentious.

Market trends

As at the date of publication, we are seeing the following market trends in relation to liability in technology and outsourcing agreements:

Financial caps and exclusions are sometimes disapplied where there is a wilful breach or wilful misconduct by a party. This is a disadvantageous position for a service provider in particular. For more information on the law in this area, see our article, Wilful misconduct and deliberate breach.
The liability clause may provide that the only uncapped indemnity the service provider gives is for third-party intellectual property right claims. Such indemnity may be limited to amounts payable to the third party (perhaps on a “finally adjudicated” basis) and costs associated with the claim (that is, the indemnity does not cover replacement of the infringing system itself). Service providers have been adopting this position for some time, and customers are now more frequently accepting it. In the less likely scenario that a service provider agrees to give a warranty against infringement (that is, it gives coverage not limited to the payment of claims, and extending to the system itself), its liability under the warranty will now typically be capped.
The contract may provide that liability for breaches of data protection and security provisions is subject to a so-called “super cap” (i.e. a separate and/or higher limit on liability), as opposed to unlimited liability for such things. This is increasingly extending to confidentiality breaches as well (which were historically typically unlimited).
A refusal by outsourced service providers to accept unlimited liability for regulatory breach. This is sometimes the subject of a super cap as well.

Excluded losses

“Neither Party shall have any liability to the other Party for: … ”

This clause lists the types of losses a party is unable to claim (that is, excluded losses).

When a party is calculating its losses that arise “under” (that is, from a breach of contract) or “in connection with” (that is, in tort) the contract, it will only be able to claim the types of losses that the contract permits. Technology and outsourcing contracts almost invariably exclude liability for indirect or consequential losses, but the parties often agree that certain other losses are excluded too, regardless of whether they are direct or indirect.

These may include (among others):

Loss of profit or revenue.
Loss of goodwill.
Loss of opportunity.
Wasted expenditure.
Loss of data.

As at the date of publication, a market-standard position typically excludes liability for these types of losses. Some favour both parties and so are seen as less contentious. For example, excluding “loss of profit or revenue”:

Protects the service provider against liability for the impact of service failures on the customer’s profits.
Protects the customer from liability for the service provider’s loss of revenue where there is an early termination of the contract by the service provider due to the customer’s breach.

The list of excluded losses should always be considered on a case-by-case basis so not to prevent a party from claiming the kinds and types of losses that are most likely to flow from the other party’s breach.

For example, a well-advised customer would not accept a “loss of data” exclusion in a scenario where data processing or storage is a central component of the service provider’s activities.

Market trends

As at the date of publication, we are seeing customers more frequently and successfully resisting the standard “loss of use” exclusion in SaaS and cloud contracts.

From the customer’s perspective, loss of use of a platform (either temporary or permanent) is one of the main consequences of a service failure on by the provider. Making the platform available is also the service provider’s core obligation, and such an exclusion implies that it may not be liable for failing to do so.

Service providers may wish to draft more precisely to exclude the types of loss that may flow from the customer not being able to use the platform, to the extent not already captured in other exclusions, like “loss of revenue” (or not otherwise excluded by the application of force majeure or relief provisions).

Assumed losses clauses

Technology or outsourcing contacts sometimes include a clause dealing with so-called “assumed losses”, which sets out specific types of losses that the parties have agreed are to be recoverable even though they might otherwise be excluded on the basis that they:

Are indirect or consequential losses; or
Would otherwise be covered by another specifically excluded category of loss.

Such clauses are typically drafted unilaterally in favour of the customer. They have traditionally been more common in business process outsourcing contracts than in licences and other technology-driven contracts but are now more frequently included in contracts for business-critical platforms.

Market trends

Service providers who might otherwise resist the inclusion of an assumed losses clause might be more open to including one if it is expressly stated that the service provider does not have uncapped liability for the assumed losses.

An example of drafting to achieve this is:

“The Parties agree that the following Losses shall be recoverable by [Customer] under or in connection with this Agreement notwithstanding the exclusions of liability in clause [x], but subject to the financial limits on [Supplier’s] liability in clause [y]:

(a) [list of assumed losses]; and

(b) ….. ”.

Types of losses that are frequently negotiated for inclusion in an assumed losses clause include:

Costs of re-procurement and/or transition to a new service provider where a contract is terminated early for the existing service provider’s breach. In our experience, service providers will often agree to shouldering the costs of a re-procurement exercise where early termination takes place within the first year or so of the contract term, and some will accept limited transition costs, but few will accept responsibility for any differential in the service fees where the new service provider charges more.
Regulatory fines and penalties imposed on the customer by a regulator, and the costs of investigations and/or remedial action required by a regulator where those fines and costs directly relate to the service provider’s breach (as opposed to a fine levied because the customer is already in regulatory breach for other non-related issues and the regulatory breach caused by the service provider is the final straw). These are particularly relevant where the customer is in a regulated industry (for example, banking and financial services).
Costs of correcting data that was destroyed or corrupted by the service provider. Its willingness to accept this typically depends on whether or not it is also responsible for retaining back-ups. If not, it may seek to limit its liability to restoring data to the last available backup.

Financial caps on liability

“[Party A’s] total liability to [Party B] for any losses incurred or suffered by [Party B] shall be limited to: … ”

This clause provides for the maximum amount for which a party is liable where claims arise under the contract. There is no magic formula for what a party’s liability cap should be - it is ultimately a commercial decision for each party based on an assessment of risk versus reward. That said, liability limits are often derived from market norms which differ depending on the nature of the technology or outsourcing in question.

Common approaches we see in technology and outsourcing contracts include:

Linking maximum liability to a multiple of the service fees and/or, a fixed amount, or to an amount that reflects the relevant party’s insurance coverage.
Caps on liability that vary depending on the scenario in which the claim arises. For example, breaches of data protection obligations may have a larger liability cap than for other breaches of the contract (this is another example of a so-called “super cap”).

While there are many other aspects of liability not dealt with here, the main principle to bear in mind is that liability caps should reflect the risk and reward under a contract.

A service provider will be reluctant to accept a liability cap that is out of proportion to the revenue it receives from the customer and the profit margin it can make from that revenue. On the other hand, the customer may argue that a cap exceeding such revenue is justified because of a particular risk presented by the services or technology.

In any event, the caps should be high enough to incentivise performance; if its caps are too low, the relevant party may consider that it is easier to walk away from the contract than to perform the contract.

Market trends

As at the date of publication, we are commonly seeing the following:

Customer caps: Customer liability caps that are linked to 100% of the fees paid or payable under the contract. Customers are generally not particularly concerned about how their own liability caps are structured - for example: (1) as an annual cap or a cap applying to all claims over the term of the contract; and (2) a cap linked to individual services or all services collectively. The approach taken is typically determined by what the service provider is actually prepared to accept.
Cloud and SaaS providers: They are unlikely to accept liability caps in excess of 12 months’ fees for the relevant service over the term of the contract. Depending on bargaining power, this might be improved to an annual cap or a cap linked to all services collectively.
Outsourced service providers: They sometimes accept higher liability caps than technology service providers, particularly in asset management and other business process outsourcings (with the market standard typically being 200% or more). This may be accompanied by key exclusions or indemnities that mitigate the service provider’s risk, such as for losses resulting from properly acting on the customer’s instructions.
Liability caps for data and security breaches: These vary widely from 100% - 500% of the fees paid or payable under the contract. The percentage agreed is influenced by the actual data risks involved and the customer’s bargaining power.

Other considerations

There are, of course, a number of other principles and aspects to liability clauses that are not addressed here, including:

Whether the liability caps and exclusions apply not only in relation to a party to the contract, but in relation to its affiliates and other members of that party’s group who might be providing or receiving the services.
Whether claims are time-barred (i. e. a time limit on when claims must be brought by); and
Whether claims under or in connection with a contract involving group members must be funnelled, so only one party of a group may make claims (including on behalf of other group members), and such claims may only be made against the other party (and not other members of its group).

Overall, liability clauses need to be carefully considered so that risk is allocated to the party best able to ameliorate that risk.

Want more information?

For more information in relation to:

Liability in relation to technology and outsourcing contracts, see our knowledge hub Outsourcing insights.
Liability in asset management outsourcing, see our article Asset management: Risk allocation and liability profiles in technology contracts and outsourcings for asset managers.
Liability for cyber incidents, see our article Do your technology and outsourcing contracts properly address liability for cyber incidents?
Indemnification, see our article Indemnification.

Contacts

Nick Jens

Associate

nick.jens@nortonrosefulbright.com

London

T: +44 (20) 74443013

Kerri Gevers

Counsel

kerri.gevers@nortonrosefulbright.com

Dubai
London

T: +971 (4) 3696365

James Russell

Head of Technology Transactions - Europe, Middle East and Asia

james.russell@nortonrosefulbright.com

London

T: +44 (20) 74443902

Recent publications

Publication