SaaS Indemnity Provisions: 5 Things to Watch For
This is the second post for non-lawyers on key issues in SaaS Service Agreement negotiations. The first post explored Representations and Warranties, and this post moves on to another often-discussed and negotiated provision among lawyers – indemnification promises. This blog series will wrap up with a final post on limitations of liability.
A Very Small Dose of the Law
Indemnity provisions are a contractual promise by one party to compensate and/or defend the other party from the risk of harm, liability or loss. If that sounds a lot like insurance, it should – the shifting of risk is the foundation of both insurance and contractual indemnity provisions.
There are a few things that the law does not let folks indemnify. For example, “sole negligence” and “willful misconduct” may not be indemnified in California under Civil Code section 2782(a), and most states have similar provisions. But other than that, you can negotiate indemnification related to anything in your contract.
Given such a broad scope of what can be indemnified, the most common question I get is: What should be indemnified? The answer is (of course) that it depends. It depends on your service, on how much is being paid, and on the leverage each party has in the negotiation.
But despite those variables, the starting point is always answering this question:
What risks is each party reasonably exposed to by entering into this contract?
If both parties are exposed to the same risk, then generally neither indemnifies the other for those. But if one party poses a unique risk to the other, that is where a well-crafted indemnity provision steps in to lessen the risk and create a more balanced agreement amenable to all parties.
Five Things to Watch Out For
1. Third Party Claims Only
A surprising number of indemnity provisions in all types of contracts do not limit the scope of the indemnification to claims brought by third parties – which is all an indemnity provision should cover.
An indemnity provision exists to lessen or eliminate the risk from third party claims, not the risk that one party will breach the agreement. Such language in effect turns an indemnification provision into a back-door way to include an attorney’s fees provision, and possibly provides extra causes of action in a breach lawsuit. Avoid that always.
2. Risks are Different, so Indemnity Provisions can be Different
It is common for lawyers and non-lawyers alike to demand that the two parties’ contractual indemnity obligations be identical. But since the risks that a SaaS services provider brings to the relationship are often very different than those of its customer, there is no good reason that their respective indemnity provisions should be identical. Again, the focus is on the unique risks to one party from the other.
For example, a SaaS services provider which processes financial data exposes its customers to both intellectual property infringement claims and data breach claims. So the SaaS provider might only provide indemnification for intellectual property infringement and loss of data from its systems.
Its customer, however, exposes the SaaS services provider to risks of claims by its end users from breach of its contractual obligations – such as the obligation to only upload data it has the right to upload. Given those risks, the customer should indemnify for claims related to its breach of its contractual promises to the SaaS provider, which would include claims by a user that its personal or financial data was improperly used by the customer.
3. Indemnification Promises can be Narrowed
Most indemnification agreements can be narrowed or have procedures put in place to allow more transparency and predictability. This is most common with an intellectual property (IP) Infringement claim. Typically, the SaaS provider’s obligation in the face of IP infringement claims will be to resolve the claim by 1) licensing the rights needed, 2) replacing the infringing IP with non-infringing IP, or 3) cancelling the agreement. These limitations on the scope of the indemnification fit the realities that the agreement cannot continue in effect without the IP, and that the SaaS provider only has certain options to deliver a non-infringing service.
In addition to limiting what an indemnifying party must do in response to certain claims, you can also list actions that might nullify the indemnity obligation. For IP infringement claims, for example, it is common for the obligation to be nullified if the infringement arises from the customer’s misuse of the SaaS service or other breach of the Agreement. Many other refinements are possible, but the point is that the parties can do more than agree to an open-ended indemnification obligation.
4. Focus on the Claim Allegations, Not Who is at Fault
Words have meaning and there is a world of difference between whether indemnity is triggered by claims “caused by” a party’s breach, compared to claims “related to” or “arising out of” that breach.
The former would impose the impractical and often impossible requirement of proving the cause of a third-party’s claimed injury in order to be indemnified – but the cause is typically not determined until a trial is held on the claim, which seldom occurs since 95+% of all lawsuits are dismissed or settled before any trial. The latter option more reasonably only requires an allegation by the third party of a relationship between their claim and the triggering indemnity provision.
5. Consider Indemnity with other Agreement Provisions
The impact and reasonableness of any indemnity promise can be impacted by other provisions of your SaaS Services Agreement: the monetary caps in your Limitation of Liability clause (or lack thereof), the scope of your representations and warranties, the existence of an informal dispute resolution procedure to address indemnity provision disagreements, and last but not least your insurance coverage for indemnified claims.
Each of these five considerations will weigh into whether an indemnity provision is fair and reasonable, and what impact it can have on each party’s business in the short and long term. Walking through the risk analysis mentioned at the start of this post will put you on the path to the right balance of indemnity rights and obligations.