MSA: Liability Cap — What It Actually Covers

The Liability Cap — What It Actually Covers

The liability cap does not limit what can go wrong. It limits what you can recover when it does. Most enterprise MSAs combine two provisions that work together: a cap on total recovery (typically 12 months of fees) and an exclusion of consequential damages (the categories that represent most of the actual harm). Either one alone is significant. Together, they mean your practical recovery for a major vendor failure may be close to zero relative to your actual loss.

How It Works

The liability cap sets your ceiling. A typical clause:

"In no event shall either party's aggregate liability arising out of or related to this Agreement exceed the amounts paid or payable by Customer in the twelve (12) months preceding the claim."

For a $200K/year SaaS contract, your maximum recovery is $200K — regardless of what the failure cost your business.

The consequential damages exclusion removes the floor. A typical clause:

"In no event shall either party be liable for any indirect, incidental, special, exemplary, consequential, or punitive damages, including but not limited to loss of profits, loss of revenue, loss of data, loss of goodwill, or cost of substitute goods or services."

The categories explicitly excluded — lost profits, lost revenue, lost data, cost of substitute goods — are the categories that represent the actual financial harm from most vendor failures. Investigation costs after a data breach are consequential. Regulatory fines are consequential. Customer churn, business interruption, and reputational damage are consequential.

Read the two clauses together: the cap limits your total recovery; the exclusion removes the largest line items from that total. What remains is typically direct damages — the fees you paid for services you did not receive. In practice, a fraction of your annual fee.

The Data Breach Version

This structure becomes most consequential in a data breach. The costs of a breach are almost entirely consequential: forensic investigation, breach notification, regulatory fines under state notification laws and GDPR, credit monitoring, customer churn, reputational harm. These costs can reach multiples of annual contract value. Under a standard MSA, they are all excluded.

Elevated caps for data security breaches are uncommon across enterprise vendor agreements. If your MSA does not have a data breach carve-out, you are in the majority, not the exception.

The AI Version

AI failures compound the liability cap problem in two ways.

First, AI failures generate exactly the costs that consequential damages exclusions remove. An AI system that produces inaccurate outputs affecting customer decisions, triggers a regulatory enforcement action under state AI law, or causes business interruption during a model failure produces losses that are almost entirely consequential in nature.

Second, the cap was sized for software bug risk, not for AI-scale consequential harm. A 12-months-of-fees cap calibrated for a $200K SaaS contract was priced against the risk that the software might not work correctly. It was not priced against the risk of an AI system making consequential decisions at scale across your customer base or operations.

Both Sides of the Table

If you're the buyer:

1. Push for a data breach carve-out from the liability cap — Snowflake's Terms of Service Section 12(C) (https://www.snowflake.com/en/legal/terms-of-service/, verified 2026-04-20) establishes a 2x Data Protection Claims Cap as a separate ceiling from the general cap. Use it as a benchmark.
2. For AI vendors specifically, push for an AI-incident carve-out analogous to the data breach carve-out — the risk profile is comparable.
3. If the vendor won't move on the cap, negotiate for a cyber insurance requirement and verify you are named as additional insured.
4. Make sure the consequential damages exclusion does not apply to the vendor's breach of its own confidentiality or data security obligations — that carve-out is achievable.

If you're the vendor:

1. Unlimited liability is not commercially viable at scale — the cap is the business model.
2. A modest data breach carve-out (2x annual fees) costs almost nothing in most scenarios and is a competitive differentiator.
3. The consequential damages exclusion is not negotiable for core liability structure, but offering limited carve-outs for specific high-stakes categories signals confidence in your product.

The Pattern Signal

The liability cap and consequential damages exclusion co-occur in nearly every enterprise MSA. When reviewing this provision, also check:

• The warranty-remedy unit — the exclusive remedy clause (termination + pro-rata refund) often makes the liability cap redundant. In practice, the cap only matters if you can get past the exclusive remedy clause first. Read both.
• The SLA remedy — if the SLA designates service credits as your exclusive remedy for downtime, the liability cap may never even be reached for outage-related claims.
• Indemnification carve-outs — indemnification obligations are typically excluded from the general liability cap. Confirm whether AI output indemnification, if any, is also excluded from the cap.