AI and Data Licensing · Memo

Synthetic-Data Generation Contracts and the Indemnity Language That Actually Allocates Risk

Synthetic-data licensing has gone from niche to standard in the past three years. The contracts have not caught up. I am going to walk through what the indemnity language needs to do and what most current contracts are getting wrong.

Synthetic data is generated by a model, typically a generative model trained on real-world data, and is used as a substitute for or supplement to real data in downstream training, testing, validation, or evaluation. The use case is most developed in computer vision (synthetic faces, synthetic scenes), in tabular data for healthcare and finance (synthetic patient records, synthetic transaction logs), and in natural language processing (synthetic conversations, synthetic documents). The marketing pitch is that synthetic data eliminates the privacy and licensing problems of real data while preserving statistical utility.

The marketing pitch is partially true. Synthetic data does reduce some categories of risk relative to real data. It does not eliminate the risk allocation question, and it introduces some new categories of exposure that the standard data-licensing template does not address. The contracts I have reviewed in 2024-2026 have, in many cases, copied indemnity language from real-data licensing templates without adjusting for the synthetic-specific risks. The mismatch is the source of most of the unallocated exposure.

The three categories of synthetic-data risk

The first category is the source-data risk. Synthetic data is generated by a model trained on real data. If the real data was acquired without adequate licensing or consent, the resulting synthetic data may carry latent infringement, privacy, or trade-secret claims. The synthetic data is, in a meaningful sense, a derivative of the source data.

The second category is the memorization-and-leakage risk. Generative models can memorize training-data details and reproduce them in outputs. A model trained on personal health records may, with sufficient prompting, output text that closely matches actual records in the training set. The same is true for proprietary documents, copyrighted text, and other source material. The synthetic data is intended to be statistical rather than reproductive, but the realization of that intent depends on the model design, the training procedure, and the validation work the generator performs.

The third category is the downstream-use risk. The buyer of synthetic data uses it to train a downstream model, which may itself produce outputs that retain features traceable to the original source data. The chain of derivation is: source data, generator model, synthetic data, downstream model, downstream output. Each link introduces independent risk allocation questions.

What the standard indemnity template does not cover

The standard data-licensing indemnity template, drawn from older real-data and content-licensing practice, allocates risk based on the categories of claims that arise in real-data licensing: infringement of copyright, infringement of trade-secret rights, violation of privacy or publicity rights, and breach of representations regarding the licensor's authority to grant the license. The template does not, in most current iterations, distinguish between risks attributable to the source data, risks attributable to the generation process, and risks attributable to the buyer's downstream use.

The result, when a claim arrives, is that the indemnity scope becomes the subject of dispute. The generator argues that the claim arises from the buyer's downstream use, which is outside the indemnity. The buyer argues that the claim traces back to source-data deficiencies, which are within the indemnity. The contract does not resolve the question because it was drafted without the synthetic-specific categories in mind.

Drafting the source-data warranty and indemnity

The source-data warranty should address the categories of source data used to train the generator, the licenses or consents obtained for that source data, and the limitations of the generator's source-data audit. A common workable formulation:

Generator represents and warrants that the source data used to train the generative model from which the Synthetic Data is produced was obtained pursuant to license, consent, or other lawful authority adequate to support the use of such source data for the training of the generative model and the production and distribution of Synthetic Data. Generator further represents that it has maintained a source-data provenance file documenting the source of each material category of training data and the basis of authorization. Generator will provide Buyer with access to the source-data provenance file under reasonable confidentiality conditions.

The indemnity to match: Generator indemnifies Buyer against third-party claims alleging that the Synthetic Data, or the use of the Synthetic Data in accordance with this agreement, infringes intellectual property rights, violates privacy or publicity rights, or breaches confidentiality obligations, where the claim arises from the source data used to train the generative model.

The carve-out: Generator's indemnity does not extend to claims arising from Buyer's modification of the Synthetic Data, Buyer's combination of the Synthetic Data with data from other sources, or Buyer's use of the Synthetic Data for purposes outside the agreement's defined scope.

The memorization-and-leakage warranty

The memorization risk is the synthetic-specific category that most current contracts handle poorly. A defensible warranty needs to address what testing the generator has performed to detect memorization, what the testing showed, and what the generator's contractual representation is about the residual risk.

The drafting moves: a representation that the generator has performed membership-inference testing on the synthetic dataset using methodology consistent with current industry practice; a representation that no individual record in the synthetic dataset, on the basis of such testing, has a higher-than-defined probability of being substantially reproducible from a record in the source data; an indemnity covering claims arising from reproduction of source-data records in the synthetic output, with the indemnity caveats below.

The trickiest drafting question is the standard of care. Memorization detection is an evolving methodology; what is reasonable today may be substandard in two years. The contract should reference a defined methodology with a contractual update path rather than a fixed standard. The methodology should be specified in a schedule that can be updated by mutual agreement as the field evolves.

The downstream-use indemnity

The downstream-use indemnity allocates risk for claims arising from the buyer's use of the synthetic data to train a downstream model. The generator wants to exclude downstream-use claims because the buyer controls how the synthetic data is used, what downstream model is trained, and what downstream outputs are produced. The buyer wants to retain coverage because the downstream claim is often traceable to source-data or memorization risks in the synthetic data itself.

The compromise that I see working in practice: the generator's indemnity covers claims to the extent attributable to the source data or to memorization within the synthetic data, regardless of the buyer's downstream use, but is reduced or denied to the extent that the claim is attributable to the buyer's specific downstream choices (model architecture, training procedure, deployment context, downstream fine-tuning). The drafting needs to be careful about the 'to the extent' language. A complete carve-out for downstream use eliminates the indemnity's value; a complete allocation to the generator eliminates the indemnity's enforceability.

Defense control and settlement authority

The indemnity mechanics on synthetic-data claims require careful drafting. The generator typically wants to control the defense because the defense will involve disclosure of source-data provenance, of generator-model architecture, and of memorization-testing methodology, all of which are sensitive. The buyer wants meaningful participation rights because the claim will, in practice, often allege harm to the buyer's downstream business, and the buyer's reputation and operational continuity may be at stake.

The negotiated structure that has worked in deals I have drafted: the generator controls the defense and the conduct of the litigation; the buyer has the right to participate at its own cost with counsel of its choice; the generator may not settle any matter on terms that admit fault on the buyer's part, that impose ongoing restrictions on the buyer's use of synthetic data, or that require the buyer to make public statements, without the buyer's consent; the buyer cooperates with the defense, including providing reasonable access to information about its use of the synthetic data, subject to confidentiality protections.

The cap structure

The indemnity cap for synthetic-data contracts is often set with reference to the fee paid for the synthetic data. That is the wrong reference point in most cases. The buyer's exposure from a synthetic-data claim is the cost of the litigation, the cost of any judgment or settlement, and the cost of retraining a downstream model if the synthetic data must be removed from the training set. A cap at the data-license fee does not approximate the buyer's exposure.

The drafting moves that align the cap with the exposure: a super-cap for the indemnity that is meaningfully higher than the data-license fee (often a multiple of the annual contract value); an uncapped indemnity for specifically defined categories of claim (typically gross negligence or willful misconduct of the generator, or specific source-data warranty breaches); a carve-out from any indirect-damages disclaimer for the indemnity's covered claims. The cap structure is one of the most negotiated elements and the most consequential when a claim actually arrives.

The model-output indemnity stack

Synthetic-data buyers are often also AI-model buyers. The buyer is licensing synthetic data from one vendor to train a model produced by another vendor, or running the synthetic data through its own training infrastructure. The indemnity stack across the model-output side and the synthetic-data side needs to be coordinated.

The buyer's exposure may involve a single claim that implicates both vendors: a claim that the buyer's deployed model reproduces source-data records, where the reproduction is partly attributable to the synthetic data's residual memorization and partly attributable to the model's architectural choices. The buyer's indemnity demand will reach both vendors. The vendors' contracts will each try to channel the claim to the other vendor. The buyer needs to ensure that the contracts together cover the buyer's actual exposure rather than leaving a gap in the middle.

The drafting move: ensure that each vendor's indemnity covers the categories of claim attributable to its own contributions, and that the carve-outs of one vendor do not align too neatly with the coverage gaps of the other vendor. The buyer's counsel should map the categories of likely claim, allocate each category to the appropriate vendor's indemnity, and identify any uncovered residue. The residue is the buyer's retained risk; the buyer should know what it is before the contract is signed.

The privacy-overlay considerations

Synthetic data derived from personal data implicates the privacy statutes in some configurations. The CPPA's draft guidance suggests that synthetic data sufficiently transformed from its sources may not constitute personal information under the CCPA. The same may not be true under GDPR Article 4(1) for personal data, where the standard for anonymization is higher. The contractual representations about the privacy status of synthetic data should be drafted with reference to specific jurisdictions and specific source-data categories.

The HIPAA-derived synthetic data context is the highest-risk privacy overlay. Synthetic medical records that retain statistical features of source records may be characterized by HHS as derivative protected health information depending on the methodology. The contract should not represent that synthetic data is HIPAA-exempt without legal review of the specific transformation methodology.

What I would not assume

Synthetic data is a fast-moving technical area, and the contractual practice is even less settled. The drafting moves I describe address the risks visible in current matters. Some of the underlying questions (the statistical conditions under which synthetic data is genuinely separable from source data, the legal status of synthetic outputs under copyright and privacy law, the methodology standards for memorization testing) are unresolved. Counsel drafting synthetic-data contracts should expect that the practice will continue to evolve and should build in update mechanisms for the technical schedules rather than freezing them in the contract text. Outcomes in specific matters depend on the methodology, the source data, and the downstream use case.

Sergei Tokmakov, Esq., CA Bar #279869. This memo is attorney commentary on legal questions and is not legal advice. Reading it does not create an attorney-client relationship. Past matter outcomes depend on facts and the responding party; nothing here is a prediction of result.