Carve-outs let parties deviate from the general liability cap for particular categories. Vendors frequently see requests to carve out confidentiality breaches, data security incidents, IP infringement, or gross negligence and willful misconduct. The vendor perspective is to limit carve-outs to risks they can meaningfully manage and to set a second, higher cap instead of going fully uncapped.
A common pattern: general cap at 12 months of fees, with a super-cap (2–3x fees) for data security and confidentiality, and a true carve-out for bodily injury or IP infringement defense costs. This balances buyer concerns with the vendor's need for insurable limits.
Whatever structure you choose, spell out whether carve-outs also waive exclusions on consequential damages and how multiple claims stack against the cap. Clarity prevents double-dipping or unintended uncapped exposure.
THIS IS NOT LEGAL ADVICE.