Key Takeaways:
- Vendors often seek unlimited liability for breaches of their intellectual property rights.
- Customers push back because the obligation not to misuse the SaaS is one of only few customer obligations under a SaaS contract.
- A balanced drafting approach can protect a vendor’s core IP while limiting the customer’s exposure to intentional, grossly negligent, or willful breaches.
When vendors push for unlimited liability for breaches of their intellectual property rights by customers in SaaS agreements, the request is aimed at protecting their most fundamental asset: their IP.
If a customer reverse-engineers the platform, discloses source code, or uses the technology to create a competing product, the resulting harm can be severe and long-lasting. For this reason, vendors often view unlimited liability as a necessary protection.
The difficulty is that many of the damages that flow from these breaches, such as potential loss of revenue or reputational harm, are typically excluded damages under a SaaS contract. They may be characterized as indirect damages or expressly listed as excluded categories of loss.
For example, a standard indirect damages disclaimer clause may read:
“IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES OF ANY KIND, INCLUDING BUT NOT LIMITED TO LOST REVENUES, PROFITS, OR GOODWILL, LOSS OF DATA, REPUTATIONAL HARM, WHETHER SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT OR OTHERWISE, EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. “
As a result, the vendor may find itself unable to recover for the very losses that are most likely to result from misuse of its intellectual property.
This article explores why vendors are particularly concerned about the types of damage exclusions in the context of intellectual property breaches, why customers push back, and how to draft a compromise that protects the vendor’s core IP without leaving customers exposed to limitless liability for every small act.
Intellectual Property in SaaS Agreements: Setting the Context
Every SaaS agreement is built on a core set of intellectual property. For vendors, it’s the platform, the code, upgrades, updates, bug fixes, patches and related documentation. These components are the vendor’s proprietary IP, provided to the customer under a limited subscription model.
To protect its IP, the vendor typically includes strict “Restrictions” clauses prohibiting reverse-engineering, accessing source code, copying or modifying the platform, or developing a competing product. These Restrictions mitigate the vendor’s concern that misuse of its technology could undermine its competitive advantage, and even long-term business viability.
For customers, by contrast, the primary concerns are ownership and control of their data provided to the SaaS, along with any reports and outputs. Customers focus on ensuring their data and outputs are properly protected and not misused, leaked, or misappropriated by the vendor or a malicious third party.
Why the IP Carve-Out Matters to Vendors
Both the customer and vendor have legitimate concerns around their data and IP. But when unlimited liability comes up in SaaS negotiations, the focus is usually on which vendor breaches should sit outside the liability cap, most notably confidentiality and data protection obligations. What is often misunderstood is that vendors also seek their own carve-out for violations by the customer of the vendor’s intellectual property rights.
This carve-out raises a number of interesting questions about the types of breaches that could occur, and the damages a vendor can realistically recover under a SaaS contract.
Consider a hypothetical. A customer reverse engineers the vendor’s SaaS. The vendor loses half its client base over the next two years to that customer, which has developed a similar, competing product. Those lost revenues and future business opportunities would almost certainly fall within excluded categories of damages under the standard limitation of liability clause (like the one above).
Additionally, a vendor may need to invest in technological or security fixes. For example, re-engineering part of the platform, updating encryption protocols, or enhancing access controls. And a breach of this kind could undermine investor confidence, affect valuations, and derail funding or acquisition opportunities.
Arguing that all of these losses should be treated as direct and therefore recoverable damages under the contract is difficult. Direct damages are typically those that flow naturally and foreseeably from the breach itself, such as the costs to repair or replace a service. Indirect damages, by contrast, are losses that arise from secondary effects of the breach and which are not obvious, such as lost profits or diminished business opportunities.
For violations of vendor IP, most of the damages that come to mind fall in the second category. Not allowing the vendor to make a claim for these types of losses leaves it without an effective remedy for the most serious contractual violation it could face.
The Customer Perspective and the Pushback
I have had this discussion a number of times with customer counsel, but one exchange stands out. We were reviewing redlines where I had added the IP carve-out, along with a carve-out for payment obligations. The customer’s attorney stopped me mid-sentence and said:
“You realize that this obligation, together with the payment obligation, are the only two real obligations my client has in this contract – to pay and to use the SaaS properly. If you exclude both from the cap, you’ve effectively made my client liable without limit for all of their obligations under the contract.”
It was an interesting point. From the customer’s perspective, there would be no real liability protection left if both obligations were excluded from the cap.
A Path to Compromise
Intellectual property is the foundation of SaaS and the vendor’s concerns about IP breaches are legitimate and serious. To see those concerns clearly and explicitly, you only need to look at the “Restrictions” clause in a SaaS agreement. It prohibits actions such as:
- Using the SaaS to provide a service to others,
- Reverse-engineering, decompiling, or seeking to access the source code,
- Copying, modifying, or creating derivative works,
- Developing a competing product.
These are serious infringements, but they are also deliberate. Can a customer accidentally discover the source code of a SaaS platform, or unintentionally reverse-engineer it, or mistakenly develop a competing product? Not likely. These acts typically require intentional conduct over an extended period of time.
And that reality suggests the solution.
Liability for breach of IP rights can be unlimited, both as to amount and type of damage, but only where the breach results from intentional acts, gross negligence, or willful misconduct. A balanced compromise might read:
“Except for the Customer’s intentional violation of the Vendor’s intellectual property rights, or any violation resulting from the Customer’s gross negligence or willful misconduct, each Party’s aggregate liability to the other Party for all claims arising out of or relating to this Agreement, whether in contract, tort, or otherwise, shall not exceed the amounts paid by Customer to the Vendor during the twelve (12) months immediately preceding the event giving rise to such liability.”
This ensures the vendor is protected from deliberate or reckless misuse of its technology, while also reassuring the customer that it won’t be exposed to limitless liability for unintentional or technical breaches.
Want to dive deeper into the nuances of limitation of liability and other key clauses in SaaS negotiations? Join the Waiting List for my next Practical SaaS Contract Masterclass to master these issues and more.
The post Unlimited Liability for a Customer’s IP Infringement in SaaS Contracts appeared first on Contract Nerds.