The indemnity cap in a commercial contract is the number that tells you the most about how a counterparty thinks about risk. It's also one of the most reliably negotiated provisions in any MSA or SaaS subscription agreement — and yet, when in-house legal teams benchmark their own contract portfolio against market practice, they frequently find that their negotiated caps are either inconsistently applied or significantly out of step with what similarly-sized counterparties have accepted.
This article maps indemnity cap structures across deal size ranges and contract types, covers the distinction between fundamental and non-fundamental representation caps in M&A contexts, and addresses the basket and deductible mechanics that determine how the cap interacts with actual claims.
The Basic Cap Structure
A commercial indemnity cap limits one party's total indemnification obligation to a specified ceiling. The most common formulation expresses the cap as a multiple of fees paid or a fixed dollar amount. In software agreements and MSAs, a fees-paid cap — typically one to two times total fees paid in the twelve months preceding the claim — is the baseline expectation at most market tiers.
The fees-paid structure has a logical appeal: it ties exposure to the economic relationship. A vendor that received $50,000 in annual fees is not exposed to unlimited indemnification for a breach that caused the customer $2M in consequential losses. That asymmetry is the point: the cap forces the indemnified party to carry their own insurance for large-loss scenarios, rather than treating the vendor as the insurer of last resort.
The problem with fees-paid caps in the current market is that SaaS pricing compression has made fees-paid caps increasingly nominal in high-value data relationships. A company paying $120,000 per year for a critical data processing agreement may have a business dependency on that service worth ten or twenty times that figure. A fees-paid cap in that context provides essentially no coverage for a serious data breach or service failure. This tension — between the cap as a risk-transfer mechanism and the actual economic exposure at stake — is what drives the most contentious cap negotiations in enterprise software contracting.
Market Ranges by Deal Size and Contract Type
Indemnity cap norms vary meaningfully by contract type and counterparty size. The following ranges reflect patterns observed across commercial agreements reviewed in mid-market legal and corporate development contexts in 2024 and early 2025. These are market-practice ranges, not binding standards — any given negotiation will land based on bargaining position, relationship, and specific risk profile.
For enterprise SaaS agreements with annual contract values between $50,000 and $250,000, a mutual cap of one to two times annual fees is standard for general indemnification. IP infringement indemnification carve-outs — where the vendor typically provides a higher or uncapped indemnity for third-party IP claims — appear in most enterprise agreements above $100,000 ACV. Data security indemnification is more variable: some vendors hold the line at fees-paid for data breaches; others accept a fixed dollar cap (commonly $500,000 to $2M for mid-market agreements) for breaches involving personal data subject to regulatory notification requirements.
For professional services MSAs with total engagement values between $250,000 and $2M, caps of one times total contract value are common. Some sophisticated buyers negotiate a floor — "the greater of $500,000 or one times fees" — to ensure the cap doesn't become nominally small for short or low-value engagements where a significant professional negligence claim might still arise.
For vendor agreements in the $10M-$500M M&A deal context — where the acquirer is reviewing the target's existing commercial contracts — the cap structure affects contingent liability analysis. A target whose ten largest vendor agreements all carry uncapped indemnities for data security breaches represents a different risk profile than one where those agreements are consistently capped at fees paid plus a fixed ceiling.
Fundamental vs. Non-Fundamental Representations in M&A
In M&A purchase agreements, the indemnity cap structure operates on two tiers. Non-fundamental representations — the bulk of the rep and warranty package covering operational matters, contracts, IP, and financial statements — are typically subject to a cap expressed as a percentage of purchase price. In middle-market transactions ($25M-$150M purchase price), non-fundamental rep caps commonly fall in the range of 10-20% of transaction value, with significant variation by deal type, industry, and whether R&W insurance is present.
Fundamental representations — title to equity, authority and enforceability, capitalization, and often tax and ERISA — carry higher caps, frequently equal to the full purchase price or a substantial portion of it. Fraud is typically uncapped, which has practical implications: SPA negotiations increasingly focus on the definition of "fraud" to ensure it reaches only intentional misrepresentation and not constructive fraud theories that some jurisdictions recognize on more permissive standards.
When R&W insurance is in the deal, the indemnity cap analysis shifts. The insurer's limits, deductible, and policy exclusions effectively replace the indemnity cap structure for covered losses. Deal counsel reviewing a target's acquisition with R&W coverage needs to understand both the insurance structure and the residual indemnification obligations that survive outside the policy scope — typically fraud, intentional misrepresentation, and certain excluded matters.
Basket and Deductible Mechanics
The indemnity cap sets the ceiling; the basket sets the floor threshold for claims. Two basket structures are common in M&A and commercial contracting contexts. A true deductible — also called a "first dollar deductible" or simply a deductible in commercial contract parlance — means the indemnifying party bears no liability for losses below the threshold, and only the excess above the threshold is recoverable. A tipping basket (or "basket with tip") means that once claims exceed the threshold, the full amount — including the portion below the threshold — becomes recoverable. The distinction is meaningful in commercial contracting where multiple smaller claims might aggregate to the threshold.
In SPA indemnification packages, the tipping basket is common for non-fundamental reps; it produces cleaner economics because the threshold functions as a de minimis filter rather than a true deductible. In commercial contracts — particularly data processing agreements and professional services MSAs — the true deductible is more common because the parties want to avoid litigation over small individual claims while preserving the ability to make claims for serious failures.
We're not saying that tipping baskets are categorically buyer-friendly or deductibles are categorically seller-friendly. The relationship between basket size, cap size, and claim probability is deal-specific. What we're saying is that reviewing a target's contract portfolio without mapping the basket structure alongside the cap produces an incomplete picture of actual indemnification exposure.
Survival Periods and Practical Exposure Windows
An indemnity cap that expires after 12 months provides materially different protection than one with an 18- or 24-month survival period. In M&A diligence, the survival period is a key negotiating point because claims for operational breaches — supplier relationships, customer disputes, tax positions — often don't surface until integration is underway, sometimes 12-18 months post-close.
In commercial contracting, survival provisions are less standardized. Many software agreements don't specify a survival period for indemnification obligations, which creates ambiguity about whether the parties intended indemnification to survive expiration. Sophisticated in-house teams add explicit survival language — "each party's indemnification obligations under this Section 10 shall survive termination or expiration of this Agreement for a period of three (3) years" — as a routine addition to their redline template.
The gap in practice: many commercial agreements in mid-market company portfolios were negotiated without explicit survival language. In an M&A context, a target whose legacy agreements lack survival provisions may be presenting a different indemnification risk profile than a target whose counsel consistently added standard survival language. Identifying that pattern across a portfolio of contracts requires systematic clause extraction — it's not something that surfaces from a high-level contract summary.
What This Looks Like in a Diligence Review
Consider a growing specialty logistics company — approximately $45M in annual revenue, acquired by a private equity-backed platform in a $90M transaction. The target had 28 material vendor agreements in its VDR, each with its own indemnification structure. Eleven of those agreements contained fees-paid caps. Six had fixed dollar caps ranging from $50,000 to $500,000. Four had no indemnification cap at all — they'd been negotiated years earlier by a prior management team without standard legal review. Seven had been signed using the counterparty's form without redline, meaning the indemnification terms were set by the other side.
The deal team's indemnity mapping exercise identified the four uncapped agreements as requiring immediate attention: one was a data processing agreement with a logistics technology vendor that handled customer shipment records, one was a facility maintenance agreement, and two were IT services agreements. The acquirer's standard risk threshold required caps for data processing agreements; the uncapped terms required renegotiation as a condition of closing — or a specific indemnification carve-out in the SPA requiring the seller to hold the buyer harmless for claims arising under those agreements within the first 24 months post-close.
The clause extraction process for those 28 agreements — identifying the cap structure, basket, survival period, and consequential damage exclusion in each — took approximately four hours using structured review. The same exercise done through manual page-turn review would have taken significantly longer, with higher risk that the pattern of uncapped agreements went unnoticed until post-close integration.
Clauseflint's indemnity flagging module surfaces cap provisions, consequential damage exclusions, and indemnification scope language for attorney review. The assessment of whether specific cap terms represent unacceptable risk for a given transaction — and the negotiation of appropriate modifications — is deal counsel's judgment call. The extraction layer is what ensures that judgment is applied to the right set of provisions.
