Indemnification clauses have a surface appearance of balance that obscures how frequently they are not. A mutual indemnification structure — each party agrees to indemnify the other for claims arising from its own breach — sounds equitable, and in its simplest form it is. The problem is that commercial indemnification clauses are rarely simple. They are modified by carveouts, coverage triggers, procedural conditions, and scope definitions that can shift the effective allocation of risk substantially from what "mutual indemnification" implies.
The patterns discussed below represent structural vulnerabilities that appear frequently enough in enterprise commercial agreements to warrant attention on initial review — and that are easy to miss precisely because the clause's headline structure appears balanced. This article is intended for counsel who are beyond the basics and are looking to sharpen their first-pass review for the less obvious failure modes.
This is educational content, not legal advice. Indemnification analysis requires counsel to evaluate the full agreement in context, and specific positions should be determined with qualified legal guidance.
The Asymmetric IP Carveout
Third-party intellectual property indemnification is typically presented as one of the clearest customer-protective provisions in a technology agreement. The vendor agrees to indemnify the customer against infringement claims arising from the vendor's product. The customer agrees to indemnify the vendor against infringement claims arising from the customer's content or modifications to the product. In principle, each party bears IP risk for what it brings to the relationship.
The asymmetry often enters through the IP carveout. Most vendor forms include a carveout to the vendor's IP indemnification obligation for infringement claims that arise from customer modifications, customer combinations of the vendor's product with other software, or customer instructions that directed the allegedly infringing design. These carveouts are facially reasonable. The problem is drafting breadth. A carveout that covers infringement "arising from or related to" the customer's combination of the vendor product with other software can be read to eliminate the IP indemnification obligation in any scenario where the customer uses the vendor's product as part of a larger stack — which is virtually every enterprise deployment.
The test for an overbroad IP carveout is to construct a realistic infringement claim scenario and walk it through the clause. If a patent holder claims that the vendor's authentication module infringes a patent, and the customer deploys that module alongside an identity provider the customer also uses, does the combination carveout apply? Under a broad reading, it might. If that carveout effectively eliminates the IP indemnification for any practical scenario, the clause provides less protection than its headline structure suggests.
The Data Breach Indemnification Gap
Many enterprise SaaS agreements include mutual indemnification but are silent on — or explicitly exclude from coverage — claims arising from data incidents attributable to the vendor's security failures. The structure is frequently: vendor indemnifies customer for third-party claims arising from vendor's breach of the agreement or negligence; liability cap applies to all claims including indemnification obligations; data breach costs are consequential damages and are excluded by the consequential damages waiver.
The practical result of this structure is that a vendor-caused data incident generates costs — customer notification, regulatory response, customer litigation defense, potential regulatory fines — that are not covered by the indemnification, are capped at a relatively small liability ceiling, and may be characterized as consequential damages subject to waiver. The customer has an agreement with a vendor that processed sensitive data, and effectively bears the largest portion of the financial consequences of the vendor's security failure.
This is increasingly recognized as an unacceptable risk allocation for agreements involving significant data processing obligations. The market correction has been to explicitly carve data incidents out of the consequential damages waiver, to establish a separate (often higher) cap for data-related claims, and to require vendor indemnification for third-party claims arising from the vendor's breach of its data security obligations. Not all vendors accept these positions, particularly at lower contract values, but counsel should ask for them and document the business decision when they are not obtained.
The Procedural Condition Trap
Indemnification obligations are typically conditioned on procedural requirements: the indemnified party must provide prompt notice of any claim, must tender control of the defense to the indemnifying party, and must cooperate in the defense. These conditions are standard and generally reasonable. They become problematic when they are drafted in a way that allows the indemnifying party to void its obligation based on any procedural deficiency, even one that caused no prejudice.
The specific language to watch is in the notice requirement. A clause that conditions indemnification on "prompt" or "immediate" notice — without a prejudice carve — allows the vendor to deny indemnification coverage if the customer provided notice in 20 days rather than the number of days the vendor's counsel asserts was required, even if the vendor's ability to defend the claim was not affected by the timing. Courts in many jurisdictions have moved away from strict forfeiture for notice breaches without prejudice, but contract language that tracks this approach can still generate litigation about whether prejudice exists — an expensive dispute on top of the underlying claim.
We're not saying all procedural conditions on indemnification are unreasonable — providing control of the defense to the indemnifying party is a legitimate condition that affects their ability to manage their exposure. We're saying that notice requirements in particular should be drafted to condition forfeiture on prejudice, not on strict timing compliance. That modification is typically achievable in negotiation and provides a meaningful backstop against a technical denial of coverage.
The Consequential Damages Interaction
Consequential damages waivers and indemnification obligations exist in the same agreement and are frequently in tension. The waiver typically excludes lost profits, lost data, lost revenue, and similar downstream losses from the parties' liability to each other. The indemnification obligation covers third-party claims, which by definition arise from a different source of liability. But many agreements blur this distinction in ways that can eliminate the practical value of the indemnification.
The most common blurring mechanism is a consequential damages waiver that explicitly applies "notwithstanding any other provision of this agreement" — language that a vendor may argue sweeps in indemnification obligations as well as direct damages. In litigation, the interaction between a broad consequential damages waiver and a mutual indemnification obligation has been litigated with varying results across jurisdictions. The safest drafting practice is to explicitly state that the indemnification obligations survive and are not limited by the consequential damages waiver, and to be specific about which categories of third-party damages are covered.
The Scope of "Third-Party Claims" Problem
Indemnification obligations typically cover "claims, actions, suits, proceedings, losses, damages, liabilities, costs, and expenses" arising from the indemnifying party's conduct. The scope of "third-party claims" — and more importantly, which third parties are contemplated — is frequently underspecified.
For an enterprise customer, the most financially significant third-party claims arising from a vendor's breach may be customer-of-the-customer claims: if the vendor's product failure causes the customer to breach its own downstream obligations, the customer faces liability from its own counterparties. Whether those claims are covered by the vendor's indemnification obligation depends entirely on whether the indemnification language is broad enough to reach claims arising from the breach of the customer's third-party contracts, or whether it is limited to direct claims against the customer by end users or regulatory bodies.
Agreeing on clear language about whether the vendor's indemnification covers downstream contract liabilities — and if so, subject to what conditions — is worth the negotiating time in any agreement where the customer's product or service depends materially on the vendor's performance. The absence of that clarity leaves an ambiguity that tends to be resolved in the indemnifying party's favor when it matters most.
Portfolio-Level Pattern Recognition
Individual review of each agreement's indemnification provisions is necessary but insufficient. The full risk picture requires understanding patterns across the portfolio: how many vendor agreements contain IP indemnification carveouts that could eliminate coverage in combination scenarios? Which agreements involve data processing but lack explicit data incident carveouts from the consequential damages waiver? Are there clusters of vendor relationships — cloud infrastructure, payment processing, identity management — where the indemnification gaps would compound in a major incident scenario?
These pattern questions cannot be answered by reviewing agreements one at a time. They require extracting and comparing indemnification structures across the repository, correlating them with contract type and risk profile, and identifying the systemic exposures that no single agreement review would surface. That visibility is what converts indemnification review from a transaction-by-transaction exercise into an enterprise risk management function.