Indemnification Clauses: A Practical Guide for In-House Counsel

Contract Risk Benjamin Clarke
Indemnification Clauses: A Practical Guide for In-House Counsel

Indemnification clauses are in every commercial contract. They're also among the most frequently misread — not because lawyers don't understand indemnification law, but because the language variations between contracts are small in appearance and large in consequence. "Defend, indemnify, and hold harmless" versus "indemnify and hold harmless" versus just "indemnify" each carries meaningfully different obligations, and in the flow of a busy review they can blur together.

This is a clause-level reading guide, not an overview of indemnification doctrine. The goal is practical: what to look for when you're in the provision, and what to flag when something's off.

The Duty to Defend vs. the Duty to Indemnify

This distinction matters more than almost any other in the indemnification clause. A duty to indemnify means: if there's a loss, judgment, or settlement, the indemnifying party pays. A duty to defend means: when a claim is made, the indemnifying party takes on the defense — attorneys, strategy, legal spend — before any final determination of liability.

The duty to defend is significantly broader. You can be required to defend a case you ultimately win. The obligation kicks in when a claim is tendered, not when liability is established. For vendors providing services that carry third-party claim risk (IP infringement, data breaches, professional errors), a defend obligation means they're on the hook for defense costs whether or not the claim has merit.

When you see "defend, indemnify, and hold harmless" in a counterparty's paper, that's the expansive version. When you see just "indemnify," you have an argument that no defend obligation exists — though this is jurisdiction-dependent and courts vary. When you're drafting for your company or negotiating your paper, understand which obligation you're agreeing to accept or extend.

Mutual vs. Unilateral Indemnification

A common structural issue in vendor contracts: the indemnification is unilateral. The vendor indemnifies you for their IP infringement, negligence, or data breach. You indemnify them for your misuse of their service, your customer data, or your negligent acts. In theory, mutual.

In practice, asymmetric. The triggers are often written much more broadly for customer-side indemnification than vendor-side. A customer indemnification that covers "any claims arising from customer's use of the service" is conceptually mutual with a vendor indemnification covering "vendor's breach of this agreement," but they're not structurally equivalent. The customer trigger is use-based (which is broad); the vendor trigger is breach-based (which requires a legal threshold).

When reviewing mutual indemnification, read both sides of the trigger in parallel. Do they require the same threshold to activate? Is one use-based and the other breach-based? Is one limited to specific claim types while the other is general? The words "mutual indemnification" in a header tell you almost nothing without reading the actual language.

IP Indemnification: A Closer Look

IP infringement indemnification is where we see the most consequential variations in standard SaaS and services contracts. The structure usually looks like: vendor will indemnify customer if the service infringes a third-party IP right, subject to carve-outs. The carve-outs are where the real negotiation lives.

Common carve-outs that vendors push:

  • Modifications made by the customer to the service
  • Use of the service in combination with other software not provided by vendor
  • Use of the service in a manner not in accordance with documentation
  • Customer's own content or data

The combination carve-out is often the most significant. If your entire use of the vendor's service involves combining it with other software — which is almost always the case with SaaS tools integrated into existing tech stacks — a broadly drafted combination carve-out can effectively nullify the IP indemnification in practice. Watch for language that excludes infringement claims that "would not have arisen but for" the combination. That's a but-for causation test that's hard to fail when there's any integration at all.

We're not saying combination carve-outs are unreasonable — they're standard market position for most software vendors. We're saying that understanding the effective scope of IP indemnification requires reading the carve-outs, not just the obligation sentence.

Indemnification Caps and Their Relationship to the LOL Clause

Most contracts have a limitation of liability section and a separate indemnification section, and the question of whether indemnification obligations are capped is critical. The two most common structures:

Indemnification is uncapped, separate from the general LOL. This means a vendor's indemnification obligation for IP infringement or data breach claims could theoretically exceed the contract value significantly. This is often the default in customer-friendly paper and is typically what's being negotiated when a vendor pushes back hard on indemnification language.

Indemnification is capped at the same limit as general liability — often 12 months of fees paid or a fixed dollar amount. This protects the vendor but limits your recovery in a serious indemnification scenario.

A middle-ground approach, which shows up in more sophisticated agreements: tiered caps, where general liability is capped at a lower amount but IP infringement and data breach indemnification have higher or separate caps. If you're negotiating a vendor agreement where data handling is material to the deal, pushing for a separate (higher) data breach indemnification cap rather than an uncapped obligation is often more achievable than an uncapped obligation and more protective than the general liability cap.

Triggering Conditions: Notice and Control

Most indemnification clauses contain two procedural requirements that determine whether the obligation actually activates in a real claim situation: notice and control.

The notice requirement says the indemnified party must promptly notify the indemnifying party of any claim or threatened claim. "Promptly" is usually undefined, which creates disputes. Some agreements specify a number of days (30-60 days is common in commercial contracts). Some say that failure to provide timely notice reduces or eliminates the indemnification obligation to the extent the indemnifying party was prejudiced by the delay.

The control requirement says the indemnifying party has the right — sometimes the obligation — to control the defense and settlement of indemnified claims. This creates a genuine conflict of interest: the party controlling the defense is often the vendor, whose interests (minimizing the settlement, protecting its product reputation) may not align perfectly with yours (getting out quickly, minimizing management distraction).

When the vendor controls the defense, the typical carve-out is that they cannot settle claims that impose obligations on the customer or do not include a full release of the customer without customer consent. That's the floor. But "consent not to be unreasonably withheld" is a weaker protection than it looks when the vendor is controlling defense timing and strategy.

What to Flag in Review

When we built Winpathio's indemnification analysis, the flags we focused on first were the structural issues that don't require deep legal judgment but do require careful reading: missing defend obligations on IP indemnification, combination carve-outs broad enough to swallow the protection, indemnification that's explicitly capped at the general liability limit for data breach scenarios, and no consent requirement for settlements that affect the customer.

These aren't esoteric points. They're the variations that appear in counterparty paper regularly and that matter materially in the scenarios where indemnification would actually be invoked. The fact that most contracts are never litigated doesn't mean indemnification structure doesn't matter — it means the risk is less visible, which is exactly when it tends to be accepted without scrutiny.

When you're in an indemnification provision, read it twice: once for the obligation (what are you committed to defend/indemnify), once for the triggers and carve-outs (when does the obligation actually apply). The second read is where the exposure lives.

More from The Winpathio Brief

Start reviewing contracts faster.

Join legal teams who've cut review time by 80%.

Request Access See How It Works