When you’re a startup or small vendor negotiating a services agreement with a larger customer, “mutual” contract language may sound fair. But it can quietly shift disproportionate risk onto you.

Here are three interrelated areas where this dynamic shows up most often: indemnification, limits of liability, and confidentiality.

How Mutual Indemnification Clauses Favor the Buyer

An indemnification clause determines which party covers the cost of a claim. Many large customers propose language along the lines of “each party will indemnify the other for third-party claims arising from that party’s negligence or breach of its obligations.” That reads as balanced, but it isn’t.

That’s because the customer’s obligations are usually narrow: pay on time and provide the information you need to do your work. Your obligations, on the other hand, are more detailed: deliver the work product; meet project milestones; comply with representations and warranties about quality and legal compliance; adhere to the customer’s IT security policies; maintain insurance; protect confidential data; and more.

As your IT security team might say, you have a much larger “attack surface.” The probability that you will breach an obligation — and trigger the indemnity — is higher because you have more obligations to breach.

The fix here is not to demand that the customer match your indemnity exactly. Instead, focus on making sure the clause is tightly scoped to the actual risks of what you’re delivering. If you’re providing advisory services, your indemnity shouldn’t look the same as if you’re building and hosting mission-critical software. Push to remove vague, catch-all indemnity triggers and replace them with specific, defined scenarios that reflect the actual work.

Indemnities are also closely tied to how much you could owe if things don’t go as planned. This is where liability caps come into play.

Why Mutual Liability Caps Still Leave Vendors Exposed

A liability cap sets the maximum amount one party can owe the other under the contract. Many large-company contract templates either contain no cap at all or include only a mutual exclusion of consequential, incidental, and punitive damages. On the surface, excluding indirect damages for both sides looks evenhanded. But given the asymmetry in obligations, the vendor is far more likely to face a claim. A mutual exclusion of consequential damages, without a cap on direct damages, can still leave you with significant exposure.

To address this, research what’s reasonable and market-standard for your industry and the type of work you’re performing. A managed IT services provider handling sensitive data will be expected to carry more risk than a marketing consultant. But in either case, a cap — typically expressed as a multiple of fees paid or payable under the agreement — is worth negotiating for.

Don’t try to disclaim all liability; it signals bad faith and most sophisticated buyers won’t accept it. But unlimited exposure may also not be appropriate. This is especially true if the customer plans to take your deliverables and modify them, or if you’re providing advice that the customer will use to make their own decisions.

One area customers often push back on is carving confidentiality breaches out of the liability cap. They’ll argue that if you leak their data, the cap shouldn’t apply. That means you’ll want to review the confidentiality provisions carefully.

Mutual Confidentiality Obligations With Unequal Scope

A confidentiality obligation requires each party to protect the other’s sensitive information from disclosure. Mutual confidentiality provisions are standard. But “mutual” here can be misleading because the obligations may be the same while the scope of what they cover is very different.

Consider how each party’s confidential information is defined. In many customer-drafted agreements, the customer’s confidential information is defined broadly: everything the customer discloses to you, whether or not it’s marked as confidential.

Your confidential information, meanwhile, may be limited to material you specifically mark in writing, or to a narrow list describing your pre-existing intellectual property — not the work you actually perform for the customer.

In practice, this means you’re taking on substantial obligations to protect a wide universe of customer information, while the customer’s reciprocal obligations cover very little of yours.

There’s also the question of duration. Confidentiality obligations that run for five years, ten years, or in perpetuity translate into real operational costs for a smaller company. You may need to maintain secure storage, train employees on data handling, and implement deletion protocols — all of which cost money and require ongoing attention. If the obligations aren’t time-limited, you’re signing up for those costs indefinitely.

Read Mutual Provisions for Their Practical Impact

The same words applied to parties with different roles, different obligations, and different risk profiles will produce different outcomes. That’s not necessarily unfair; in some cases, it’s market-standard and appropriate. But understanding how even “mutual” wording applies to your specific position is essential before agreeing to it.

Just as you’d evaluate a business partner based on their actions and not just their words, read your contracts for their practical impact. You may end up accepting terms that apply to you more than to the other side. That’s fine as long as you’re making that decision from an informed position, not because someone told you it was “mutual.”

If you’d like a contract—mutual or otherwise—reviewed, feel free to contact Spark + Sterling.