We're planning a major API integration with a critical vendor, and their legal team is insisting on an unlimited liability clause for any security breach originating from our side, even if it's due to a vulnerability in their API. This seems like an extreme shift from the standard mutual indemnification. Has anyone else run into this, and how did you negotiate a more balanced agreement?
Unlimited liability clauses are unusual in practice. aim for a liability cap tied to contract value with carve-outs for breaches of confidentiality and data security; also carve out gross negligence and willful misconduct. citeturn0search2turn0search10
Push for mutual indemnification so either side bears responsibility for its own faults; specify per-event caps and separate caps for IP vs data breaches. citeturn0search5turn0search1
Require the vendor to carry cyber liability insurance and name you as insured; ask for coverage benchmarks (eg five to ten million) depending on data sensitivity. citeturn0search11turn0search9
Include a robust data security addendum; rights to audit; incident response; notification timing; and a no-fault data breach approach. This helps limit cost blowups. citeturn0search0turn0search2
Do a staged negotiation; bring in counsel; use a risk matrix; for api integration deals in 2025 emphasize balanced risk and avoid one-sided terms. enterprise API integration 2025. citeturn0search3turn0search11