Knowledge Library · MSA
Current Quality5/10?
How do you negotiate MSA indemnification and insurance minimums without handing the economic loss to the vendor?
Brief
Three negotiation caps prevent MSA liability bleeding: cap at annual contract value (ACV), carve-outs for IP indemnity, and insurance floor tied to risk profile.
Detail
MSA liability is the #2 reason deals stall in legal (after data processing). Vendors often propose unlimited indemnity or 2-3× ACV caps; buyers counter with vendor-absorbing $25M liability floors. The settlement is typically 1-2× ACV with defined carve-outs.
Enterprise Indemnification Standard
Mutual Indemnity Baseline
| Indemnity Type | Standard Cap | Carve-Out |
|---|---|---|
| IP infringement (vendor's code violates patent) | Unlimited | Only for unmodified code; excludes custom builds |
| Data breach (vendor fails security) | 2× ACV | Only breaches from vendor negligence, not force majeure |
| Service failure (vendor breaks SLA) | 1× ACV | Only for direct damages; excludes consequential damages |
| Breach of confidentiality | 1× ACV | Excludes disclosure required by law/court order |
Negotiation Playbook
Red Flags (Reject Immediately)
- "Indemnity capped at 10% of ACV" = Vendor accepts almost no risk
- "Indemnity unlimited for any reason" = Vendor accepts existential liability
- "Buyer liable for any IP claim regardless of vendor's use of code" = Buyer bears vendor's IP risk
- "Insurance required: $10M general liability" = Unrealistic for mid-market vendors
Negotiation Anchors
Anchor 1: IP Indemnity (Usually Unlimited, With Carve-Outs)
- Vendor starting position: "We'll defend against IP claims if someone sues because of our code."
- Your opening: "Acceptable. But IP indemnity applies only to unmodified vendor code. For your custom integrations, IP risk is shared."
- Settlement: "Unlimited IP indemnity for core product. Custom build IP indemnity capped at 2× ACV or project cost, whichever is smaller."
Anchor 2: Data Breach / Security (2× ACV Typical)
- Vendor starting position: "We maintain SOC 2 Type II. Any breaches are covered by insurance."
- Your opening: "Insurance backs claims; MSA caps liability. Data breach liability capped at 2× ACV, but applies only to breaches caused by vendor negligence (not 3rd-party hacks)."
- Settlement: "2× ACV for breaches caused by vendor failure to maintain reasonable security controls. Vendor provides proof of insurance for cybersecurity liability ($[amount] minimum)."
Anchor 3: Consequential Damages (Always Exclude)
- Vendor starting position: "Consequential damages, lost profits, business interruption excluded."
- Your opening: "Agreed. But direct damages from service outage are not consequential—they're direct. We want direct damages capped at 1-2× ACV."
- Settlement: "Vendor not liable for lost profits, lost revenue, reputational harm. But vendor IS liable for direct costs (e.g., emergency alternate solution, remediation labor) up to 1.5× ACV."
Insurance Minimums (Tied to Deal Size)
| Deal Size | General Liability | Cyber Liability | Errors & Omissions |
|---|---|---|---|
| <$500K | $1M | $1M | $1M |
| $500K-$2M | $2M | $2M | $2M |
| $2M+ | $5M | $5M | $3-5M |
Carve-Out Language (Protects Vendor From Unrealistic Claims)
``` Vendor indemnity excludes claims arising from:
- Customer's modification of vendor code (unless vendor approved)
- Customer's use of product in manner not documented in SOW
- Customer's failure to apply security patches within 30 days of vendor release
- Acts of God, war, natural disaster, cyber attack by external parties (not vendor's fault)
- Claims by third parties that customer created
```
Buyer Indemnity (Protects Vendor, Often Overlooked)
- Buyer indemnifies vendor for IP claims arising from buyer's data provided to vendor
- Example: "If customer's data includes stolen IP and vendor is sued, customer defends vendor"
- Typical cap: 1× ACV (lower than vendor indemnity because buyer data risk is buyer's responsibility)
Escalation Ladder If Vendor Won't Move
| Demand | If Vendor Resists | Escalation |
|---|---|---|
| IP indemnity carve-out for custom code | Vendor wants unlimited IP on custom | "We'll cap custom IP at 2× project cost. Is that workable?" |
| Data breach cap at 2× ACV | Vendor wants unlimited | "Insurance covers excess. You carry $2M cyber liability; we take anything above that." |
| Direct damages = Service outage (not consequential) | Vendor lumps all outages as consequential | "If you take service down 72 hours, we lose $X. That's direct. We need it capped at 1× ACV." |
flowchart TD
A[MSA Indemnity Negotiation] --> B{Indemnity Type?}
B -->|IP Infringement| C[Unlimited for core product]
B -->|Data Breach| D[Cap at 2x ACV]
B -->|Service Failure| E[Cap at 1x ACV]
B -->|Consequential Damages| F[Always Exclude]
C --> G[Carve-out: custom code capped]
D --> H[Proof of cyber insurance required]
E --> I[Direct damages only, exclude lost profits]
F --> J[Define direct vs consequential]
G --> K{Vendor Accepts?}
H --> K
I --> K
J --> K
K -->|Yes| L[Lock indemnity language]
K -->|No| M[Escalate to vendor counsel]
L --> N[Signed MSA]
M --> N
TAGS: MSA,indemnification,insurance,legal,liability-cap,enterprise-deals,negotiation,risk
Download:
Was this helpful?
Sources cited
bvp.comhttps://www.bvp.com/atlas/state-of-the-cloud-2026joinpavilion.comhttps://www.joinpavilion.com/compensation-reportbridgegroupinc.comhttps://www.bridgegroupinc.com/blog/sales-development-reportgartner.comhttps://www.gartner.com/en/sales/researchDeep dive · related in the library
stakeholder-mapping · MSAHow do you map stakeholder power vs. interest in an enterprise MSA negotiation before legal even touches it?legal · contractsHow do you handle a buyer who keeps requesting custom legal terms that slow every deal in their pipeline?snowflake · pricingHow does Snowflake compute pricing compare to BigQuery and Redshift?travelers · revenue-fixHow'd you fix Travelers' revenue issues in 2026?sales-compensation · commission-structureWhat's the right way to comp an AE who closed a 5-year prepay deal versus standard annual?deal-dynamics · negotiationWhat are the deal-stage dynamics and negotiation patterns specific to APAC/EMEA buyer psychology?POC_scope · feature_creepHow do you prevent POC scope creep when customers keep asking 'can you just...'?negotiation · legal-redlineWhat's the right way to handle a deal where the buyer's lawyer is hostile and adversarial from the first redline?crm-strategy · org-chart-mappingWhat's the right way to map an enterprise org chart in CRM?buying-committee · conflict-resolutionHow do I handle a buying committee where two stakeholders disagree?More from the library
volume-cron · machine-generatedHow should ServiceNow price forecasting against Datadog equivalent?pet-grooming · small-business-startupHow do you start a pet grooming business in 2027?salesloft · growth-rate-post-vistaCan Salesloft keep growing 15%+ post-Vista acquisition?salesloft · ae-careerIs a Salesloft AE role still good for my career in 2027?volume-cron · machine-generatedHow should ServiceNow price pipeline analytics against HubSpot equivalent?hubspot · salesforceHow does HubSpot defend against Salesforce in 2027?salesloft · drift-acquisition-valueWhat should Salesloft do about the Drift acquisition value?small-business · airbnbHow do you start an AirBnB management business in 2027?salesloft · video-acquisitionShould Salesloft acquire a video tool in 2027?brewery · craft-beerHow do you start a brewery business in 2027?salesloft · gross-margin-trajectory-2028What is Salesloft gross margin trajectory through 2028?volume-cronIs a Workato Sales Engineer role still good for my career in 2027?volume-cron · machine-generatedIs a Apollo AE role still good for my career in 2027?salesloft · mid-market-competitionWill Salesloft beat Outreach in mid-market sales engagement by 2027?salesloft · mid-market-sales-engagementWill Salesloft beat Outreach in mid-market sales engagement by 2027?