SaaS Contracts · Memo

Liability Caps for SaaS Services After Recent California Case Law

A peer-to-peer note on the limitation-of-liability fight in California SaaS deals: which carve-outs survive Civ. Code section 1668, where the super-cap belongs, and what the recent case law actually changes.

The liability cap is the second clause that gets the late-night attention in a SaaS negotiation, after the IP indemnity. The California analysis on caps has not changed at the doctrinal level in a long time, but the application has tightened in ways counsel should track. Civ. Code section 1668 still bars the contractual exemption of liability for a party's own fraud, willful injury, or violation of law. That has been the rule since the statute was enacted in 1872 and the Supreme Court reconfirmed the framework in Civic Center Drive Apartments LP v. Southwestern Bell Video Services, 295 F. Supp. 2d 1091 (N.D. Cal. 2003), and the line of cases it sits in. What has shifted is what counts, in 2026, as something a court will look at twice before enforcing a cap.

The doctrinal floor

Three things cannot be capped in California, no matter what the contract says. The first is fraud, including fraudulent inducement. The second is willful injury to a party's person or property. The third is violation of law, particularly any consumer-protection or fiduciary-duty statute that imposes its own remedy. Tunkl v. Regents of the University of California, 60 Cal. 2d 92 (1963), adds an unconscionability gloss for contracts affecting the public interest, but its reach in B2B SaaS is narrow. The Tunkl factors generally do not apply to commercial software deals between sophisticated parties, and recent California decisional practice has been consistent on that point.

Gross negligence is the live question. The statute does not name it. California courts have read Civ. Code section 1668 to bar exculpation of gross negligence in some contexts (City of Santa Barbara v. Superior Court, 41 Cal. 4th 747 (2007), is the leading case, in the recreational activity context) and to allow it in others. For B2B commercial contracts between sophisticated parties, the trend through 2024 and 2025 has been to enforce gross-negligence limitations where they are clear, conspicuous, and the parties had bargaining parity. I would not assume that trend will continue. Counsel drafting a cap that runs to gross negligence should expect a contested motion if the conduct actually rises to gross negligence in the trial court.

What the cap should and should not reach

The standard SaaS cap reads: Each party's aggregate liability under this Agreement shall not exceed the fees paid by Customer to Vendor in the twelve months preceding the event giving rise to the claim. The carve-outs that should sit outside the cap in any deal I represent the customer on:

• Indemnification obligations (both IP and any data-breach indemnity);
• Breach of confidentiality;
• Gross negligence and willful misconduct;
• Breach of the data-protection or privacy obligations;
• Payment obligations.

The vendor will push back on confidentiality and gross negligence. The compromise I commonly land on: confidentiality is uncapped only for the customer's confidential information actually misappropriated and used (a willful-misconduct triggered uncap, with a high super-cap if not willful); gross negligence is uncapped but only if proven as a finding by the trier of fact, not as a pleading standard.

Super-caps and asymmetric caps

The super-cap is the negotiating tool that has been doing the most work in 2025. The structure: the general cap stays at twelve months' fees, but specified categories (typically IP indemnity, data-protection breach, gross negligence) sit under a separate super-cap that is a multiple of the general cap, usually three to five times. The super-cap is what makes the contract acceptable to the customer's risk team without making it commercially unacceptable to the vendor.

Asymmetric caps are also more common than they were a few years ago. The customer's payment obligation is uncapped (or capped at the contract's full term value), but the vendor's performance obligation is capped at twelve months. That asymmetry is defensible and most vendors will accept it. What I push for additionally: the cap is on liability, not on remedies. The customer's right to specific performance (where available) or to suspend payment for material breach should not be reduced because the cap has been hit. Drafted carelessly, a cap can be read to extinguish equitable remedies. Resolve the ambiguity expressly.

The unconscionability defense

For consumer-facing SaaS deals, the cap may face a Civ. Code section 1670.5 unconscionability challenge. Procedural unconscionability is almost always present in a clickwrap. Substantive unconscionability turns on whether the cap is so one-sided as to shock the conscience. A cap at twelve months' fees on a $20-per-month consumer SaaS is, for most claims, defensible. A cap of $100 per user on a service that handles credit-card data and admits no separate carve-out for data-breach exposure is, in my view, the kind of asymmetry a court will look at hard, particularly post-Sanchez v. Valencia Holding Co., 61 Cal. 4th 899 (2015).

The recent California case law I would track is not on caps directly but on the underlying contracts. Tetris Holding LLC v. Xio Interactive Inc. (the 2024 procedural skirmish line on online terms enforceability), the McGill rule's application to SaaS arbitration clauses, and the cases applying the Federal Arbitration Act after Viking River Cruises Inc. v. Moriana, 596 U.S. 639 (2022), and Adolph v. Uber Technologies Inc., 14 Cal. 5th 1104 (2023), all bear on whether the cap will even be tested in litigation. A cap that survives in arbitration may not survive in court, and the arbitration clause is what often determines the forum.

What I do on the customer side and on the vendor side

For customers, I push hardest on three points. First, the data-breach super-cap. Average per-record breach cost is high enough that a twelve-month cap on a $40,000-per-year SaaS does not cover a single moderate breach. Second, the gross-negligence and willful-misconduct uncap, drafted as a finding-of-fact trigger rather than a pleading standard. Third, the carve-out of indemnification from any cap, which should not even be a discussion point in a deal of any size.

For vendors, I push hardest on protecting the general cap from carve-out creep. The customer's first draft sometimes carves out everything that sounds bad, which converts the cap into a list of exceptions. The right structure is: a tight general cap, a defined super-cap with named triggers, and an uncap that is reserved for fraud, willful misconduct, and Civ. Code section 1668 violations. Anything else stays inside the cap.

The drafting tells that flag a cap problem

Two language patterns I look for as a tell. The first: Notwithstanding anything to the contrary, the cap shall not apply to ... followed by a long list. That structure invites a sophisticated counterparty to litigate every comma. Replace with a defined super-cap. The second: Liability is limited to the fees paid by Customer in the twelve months preceding the claim, except for breaches of Sections X, Y, and Z, which are uncapped. If sections X, Y, and Z include data privacy, the contract has effectively no cap on the largest realistic exposure. That may be what the customer wants; it may not be what the vendor's GC realized she was signing.

None of this is novel. The California decisional law on caps is mature. What is new is the willingness of trial courts, post-2022, to look hard at caps in contracts where the imbalance is meaningful. I would not draft a cap in 2026 on the assumption that the 2018-era enforcement posture still controls.

Sergei Tokmakov, Esq., CA Bar #279869. This memo is attorney commentary on legal questions and is not legal advice. Reading it does not create an attorney-client relationship. Past matter outcomes depend on facts and the responding party; nothing here is a prediction of result.