You're about to sign a customer contract that could change your company. The commercial terms look fine. Then you hit the dense section called limitations of liability, and suddenly the deal feels less clear. If your product touches customer data, uses AI tools, or serves clients in both New York and Ontario, that section can decide who absorbs the worst loss when something goes wrong.
At Mayo Law, we help businesses in Toronto, the GTA, and across the border handle contract risk that sits between legal drafting and real business exposure. Founders often focus first on revenue, product scope, and payment terms. That's understandable. But liability language often does more to shape downside risk than any other clause in the contract, especially once your company starts operating in more than one jurisdiction or after you've incorporated a business in Ontario.
A good liability clause isn't boilerplate. It's a pricing decision, an insurance decision, and a dispute-planning decision. If you do business on both sides of the border, it's also a governing-law decision.
Introduction
A founder in this position usually has the same reaction: “If I sign this as written, what am I on the hook for?” That's the right question. The clause isn't there to make the contract look polished. It allocates financial pain in advance.
In practice, these clauses matter most when the relationship is otherwise going well. Nobody negotiates them while thinking a breach, security incident, or IP fight is likely. But once one of those events happens, the limitation language becomes one of the first provisions both sides read.
For a startup selling into larger enterprises, this creates a familiar tension. You need the deal to move. The customer wants broad remedies. You want a predictable ceiling. If your team is in Toronto, your customer is in New York, your servers sit somewhere else, and your users span both countries, a generic clause copied from an old template often won't hold up commercially or legally.
What Are Limitations of Liability?
A limitation of liability clause is a contract provision that restricts how much money one party can recover, or what kinds of losses it can recover, if the other party breaches the agreement or causes a related claim. Its job is to turn uncertain exposure into a more defined allocation of risk.
Two layers usually do the real work
Most commercial clauses split into two technical layers. One is a cap on total recoverable losses. The other is a separate exclusion for categories like consequential damages, incidental damages, lost profits, and punitive damages, as described in Sirion's discussion of limitation-of-liability clauses.
That distinction matters.
A founder will often focus on the cap first because it's easy to see. If the clause says liability is capped at a stated amount, that feels concrete. But the exclusion language can matter even more because the biggest claims in a business dispute are often framed as downstream losses rather than the direct value of the contract.
Why the exclusion side can be more important
If your customer says your outage caused internal delays, lost opportunities, reputational harm, or lost revenue, those allegations may sit in the excluded category rather than inside the cap. That's why parties fight over definitions like direct, indirect, and consequential damages.
Practical rule: Don't read the cap in isolation. Read the exclusion list, the carve-outs, and the remedy section together.
A simple way to think about it is this:
| Clause feature | What it does | Why it matters |
|---|---|---|
| Cap on liability | Sets the maximum recovery | Creates a ceiling on financial exposure |
| Damage exclusion | Removes certain loss categories | Can eliminate the largest claimed losses |
| Carve-outs | Restores liability for specific risks | Protects high-severity issues from the general cap |
What founders should look for first
When I review these clauses for startups, I usually start with four questions:
- What is capped. Is it all claims, or only contract claims?
- What is excluded. Are lost profits, punitive damages, and consequential losses out?
- What escapes the cap. Do confidentiality, IP, payment obligations, or indemnities sit outside it?
- How the clause interacts with remedies. Does another section implicitly expand or shrink the result?
If you answer those four questions, the clause usually becomes much less mysterious.
Common Types of Liability Clauses and Caps
Commercial contracts tend to use a few recurring structures rather than endless variations. In practice, the most common architecture is either a fee multiple or a fixed-dollar cap, with a default of about 1x annual fees. For higher-risk categories such as data breaches or IP infringement, parties often negotiate super caps up to 5x annual contract value, as noted in Common Paper's analysis of limitation-of-liability structures.
Fee-based caps
This is the structure most founders see first. The cap is tied to what the customer paid, often over a lookback period.
Examples include language such as liability capped at fees paid under the agreement, fees paid in the prior year, or fees paid for the affected service. Sellers like this approach because it ties risk to revenue. Buyers often dislike it when the contract value is modest but the operational dependency is high.
A SaaS company might accept a cap based on subscription fees because the pricing model is recurring and measurable. A consulting firm may prefer to cap liability at the fees for the specific statement of work rather than the master agreement as a whole.
Fixed-amount caps
Some contracts use a fixed amount instead of a revenue-linked formula. That can work when pricing is uneven, milestone-based, or front-loaded.
This structure is sometimes cleaner in deals involving product development, implementation work, or technology licensing. It avoids disputes about what counts as “fees paid” and can be easier for both sides to price against.
If your deal also involves software rights, data use, or ownership language, the cap should be reviewed with the related IP provisions, not as a stand-alone sentence. That's often where technology contracts go wrong, especially in deals involving licensing of technology.
What are some examples of limitation of liability clauses?
A software vendor might cap general liability at one year of subscription fees, while placing a higher cap on a data security breach. A marketing agency might cap liability at the value of the specific campaign at issue, while excluding lost profits and other indirect losses. Both are common patterns, but each produces very different outcomes when a dispute starts.
A cap that looks balanced in the abstract can fail in practice if it isn't matched to the actual way loss would occur.
What works and what doesn't
What works is a cap tied to the commercial reality of the deal. That means asking what the buyer is really relying on and what the seller can insure or reserve against.
What doesn't work is copying a “market” clause from another company without checking whether your pricing, data exposure, and product function match that template.
A startup selling workflow software to a small team can often justify a different structure than a startup processing sensitive customer data for a regulated enterprise. Both may call the clause a limitation of liability. The business logic behind them should not be the same.
Is a Limitation of Liability Clause Always Enforceable in New York and Ontario?
No. In business-to-business contracts between experienced parties, these clauses are often enforceable. But they are not self-executing, and they are not immune from challenge. Cross-border contracts create an extra layer of risk because a clause that feels commercially standard in one place may be scrutinized differently in another.
Industry guidance highlights that a major risk is jurisdictional enforcement, especially for U.S.-Canada contracts. A cap viewed as standard in one jurisdiction may be challenged as unreasonable or unconscionable in another, and a nominal cap can fail entirely if the drafting or bargaining context is weak, as discussed by the Association of Corporate Counsel on ineffective limitation-of-liability provisions.
New York
New York courts generally respect negotiated allocation of risk in commercial contracts, especially where both sides are experienced and the clause is clearly drafted. That said, founders should not assume that broad drafting solves everything.
New York issues often turn on points like:
- Clarity of drafting. If the clause is vague, a court may construe it narrowly.
- Nature of the conduct alleged. Gross negligence and willful misconduct arguments can change the analysis.
- Interaction with other clauses. Indemnity, exclusive remedy, and forum clauses can shift the practical result.
For governing-law planning, the text of New York's General Obligations Law is worth reviewing with counsel, especially if the contract also has choice-of-law and venue provisions.
Ontario
Ontario courts also recognize freedom of contract, but the analysis often focuses heavily on whether the clause covers the event that happened and whether enforcing it would be unconscionable or contrary to public policy.
Canadian lawyers usually think about the framework shaped by cases such as Tercon. The practical questions are familiar: does the clause plainly apply, was the contract formed on fair enough terms, and is there a reason public policy should override it? The Supreme Court of Canada remains the place to verify leading Canadian authority.
Gross negligence and drafting assumptions
One recurring founder assumption is that adding “except for gross negligence or willful misconduct” solves the hard part. Sometimes it helps. Sometimes it creates new uncertainty because those terms trigger argument rather than certainty.
Another issue is overreaching. If a vendor insists on a cap so low that it bears little relation to the value and risk of the deal, the clause may invite scrutiny rather than protection.
If you want a clause enforced, make it commercially believable.
Why governing law and forum matter together
A cross-border contract should never treat governing law and dispute forum as separate housekeeping items. They work together. A New York governing-law clause paired with Ontario litigation, or vice versa, can produce procedural and interpretive friction that startups only discover after a dispute begins.
That is why the liability clause should be negotiated alongside the forum provision, not after it. If your contract has U.S.-Canada exposure, the forum selection clause deserves the same attention as the liability cap itself.
What founders should do before signing
If you operate in both jurisdictions, ask these questions before agreeing:
- Which law governs the clause?
- Where will disputes be heard?
- Does the clause clearly cover negligence, statutory claims, and affiliates, if intended?
- Would the cap still look reasonable if a judge read it cold, after a serious dispute?
Those questions usually reveal whether you have a real risk-allocation clause or just contract wallpaper.
Navigating Modern Risks Like Data Breaches and AI
A standard cap that works for an ordinary service failure often breaks down when the loss involves data security or AI-related IP issues. That's where many older templates feel outdated.
Recent contracting guidance has focused on a gap that matters to fast-moving companies: parties now commonly negotiate special treatment for data security incident expenses and IP claims because buyers increasingly ask whether a normal cap can realistically cover forensic work, notification, and downstream regulatory exposure after a breach, as discussed in Legal Dive's coverage of limitation-of-liability negotiations.
How do liability limits apply to data breaches?
They apply only as far as the contract says they do. If the clause puts all breach-related loss inside the general cap, the customer may recover much less than it expected. If the contract creates a special cap or carve-out for security events, the recovery position changes materially.
That's why security language can't be negotiated as boilerplate anymore. A buyer may treat a cyber incident as an existential business event. A vendor may see it as one category among many. The contract has to resolve that mismatch in advance.
The real operational problem
For founders, the issue isn't abstract enforceability. It's whether the liability architecture matches the costs that would arise.
A buyer may ask whether the cap covers:
- Forensic investigation
- Notification obligations
- Credit monitoring
- Service downtime
- Regulatory fallout
- Third-party claims tied to the incident
If your answer is unclear, your clause is underbuilt.
AI creates a related problem
AI tools create their own version of this issue. A customer may worry about training-data disputes, output-based infringement claims, confidentiality failures, or misuse of proprietary inputs. A seller may want those issues inside the general cap. A buyer will often push for separate treatment.
Mayo Law works with businesses across the GTA and on cross-border matters. Joseph Mayo is licensed in Ontario and New York, so clients with U.S. ties coordinate their legal work in one place rather than juggling two firms. For tech deals, that often means reviewing the liability clause together with the IP and confidentiality package, especially where there's concern about trade secret misappropriation.
A breach clause that ignores modern data and AI risk usually saves time only until the first serious incident.
Better approaches
What tends to work better is layered drafting. General operational claims may sit under the base cap. Security incidents, IP claims, and confidentiality breaches may get a higher cap, separate treatment, or a specific carve-out.
That approach isn't automatically buyer-friendly or seller-hostile. It's often the only way to make the contract reflect how losses would arise.
Drafting and Negotiating Best Practices
Most bad limitation clauses fail for one of two reasons. They're too vague to work, or they're so aggressive that the other side fights them hard and the deal slows down. The goal isn't maximal limitation. It's defensible allocation.
If you're the party limiting liability
A vendor, developer, agency, or service provider usually wants predictability more than anything else.
- Tie the cap to the economics of the deal. A fee-linked cap is easier to defend than a number that seems arbitrary.
- Define the claim bucket carefully. Decide whether the clause applies to contract claims only, or also tort, negligence, statutory, and related claims.
- Draft the exclusions clearly. If you mean to exclude lost profits or punitive damages, say so plainly.
- Check consistency across the agreement. An indemnity, security addendum, or service-level remedy can undermine the limitation section.
- Compare the clause to your insurance. A contract should not promise a risk allocation your policy won't support.
If you're accepting limited liability
Buyers need to resist the instinct to negotiate only the headline number. The better move is to negotiate where the general cap doesn't apply.
Consider pushing on these points:
- Higher treatment for specific risks. Security incidents and IP claims often deserve separate handling.
- Mutuality. If one side gets broad protection, ask whether the clause should operate both ways.
- Payment obligations. Many buyers accept a cap on seller liability but won't agree that unpaid fees or reimbursement duties are similarly constrained.
- Confidentiality and data misuse. These may justify carve-outs or at least a higher cap.
- Remedy design. An exclusive remedy can matter as much as the cap itself.
One clause rarely solves the whole problem
I've seen startups negotiate a decent liability provision and still end up exposed because the rest of the agreement wasn't aligned. The contract promised one outcome. The security schedule, indemnity language, and insurance program pointed elsewhere.
That review should happen as part of the overall transaction package, whether the deal is a service agreement, acquisition, or strategic commercial arrangement. In cross-border matters, that often sits inside broader international business planning and, in deal work, alongside documents such as stock purchase agreements.
Negotiation shortcut: Ask what the worst plausible loss looks like for each side, then draft the cap and carve-outs around that answer.
Two anonymized scenarios
A Toronto software startup signs a New York enterprise customer on a modest annual subscription. The customer's first draft sets unlimited liability for confidentiality, data security, and all indemnity obligations. That sounds simple, but for the startup it creates exposure far beyond contract value. A layered cap with narrower carve-outs is usually the more realistic fix.
An Ontario services company buys AI-enabled software from a U.S. vendor. The vendor offers a standard fee cap and broad exclusion of indirect loss. The buyer's real concern is not ordinary downtime. It's a third-party claim alleging the tool's output infringes someone else's rights. That issue should be negotiated directly, not buried under general language.
Frequently Asked Questions
Is a limitation of liability clause the same as an indemnity?
No. They do different jobs. A limitation clause restricts exposure. An indemnity shifts responsibility for certain losses or third-party claims. In many contracts, the most important negotiation is how those two provisions interact. An indemnity can expand liability, while the limitation clause may try to cap it or exclude it from the cap.
How much should a liability cap be?
There isn't one correct number for every deal. In commercial practice, fee-based caps and fixed amounts are common, and many contracts start from a fee-linked structure. The better question is whether the cap fits the pricing, the service, the data exposure, and the kinds of losses that are realistically in play.
How long does it take to negotiate this clause?
That depends on bargaining power, industry, and whether the first draft is realistic. If both sides use familiar commercial positions, the clause can move quickly. If the draft combines a low cap, broad disclaimers, and unclear carve-outs, negotiations usually drag because each change affects insurance, pricing, and other contract sections.
Which law should govern a New York and Ontario contract?
It depends on where the parties operate, where performance happens, and where you'd realistically want a dispute heard. The key point is consistency. Governing law, forum, indemnity structure, and liability language should work together. Choosing one jurisdiction's law without checking how the clause would look in the other forum can create avoidable risk.
What is the biggest mistake founders make with limitations of liability?
Treating the clause as a late-stage cleanup item. By then, pricing is often set and influence is diminished. The smarter move is to address liability early, once the business terms are clear enough to understand what the real downside looks like for both parties.
Conclusion
If you're staring at a contract and wondering whether the liability section is routine, it probably isn't. These clauses decide which losses stay in the deal and which ones escape it. For companies operating between New York and Ontario, the drafting has to work commercially and hold up across different legal instincts about enforceability.
A strong clause doesn't eliminate risk. It prices risk, channels it, and makes it easier to live with. That's what founders should want before they sign.
If you're negotiating a cross-border contract and want the liability language reviewed in business terms, not just legal jargon, Mayo Law advises companies on U.S.-Canada commercial agreements with a focus on practical risk allocation.
