Beyond Caps and Indemnities—Six Emerging Pressure-Points in Today’s IT Contracts

Written By Lisa Malone

IT contracts have become the backbone of modern business. Whether you’re procuring software, outsourcing a service, or integrating third-party platforms, the risks embedded in these agreements can have significant commercial and operational consequences. Here, Commercial + Corporate lawyer, Vladimir Kravchenko, explores six emerging pressure points shaping risk allocation in contemporary IT deals.

Every IT lawyer knows the drill: liability caps, indemnities, warranties, insurance, dispute resolution. Important, yes—but well-worn ground. The real challenges for today’s deals are emerging in subtler corners of the contract, where technology is evolving, often faster than the law. In this piece, we explore six of those shifting pressure points.

1. Quantifying Traditional Risk: Still the First Domino

While this article side-steps a deep dive into caps, indemnities and insurance, one immutable rule remains: price and risk must be modelled together from day one. Put numbers on potential liability early, let finance see the worst-case scenario, and ensure commercial terms flex accordingly. Sophisticated parties already align fee structures to risk allocation; everyone else should catch up, fast.

2. Data Harvesting: The Quiet Grab for Your Competitive Edge

A growing number of SaaS and PaaS providers ask for broad rights to “anonymised,” “aggregated” or “usage” data so they can “improve” their services or train machine-learning models. The language looks innocuous - after all, the data is supposedly scrubbed of personally identifiable information - but buried inside can be highly sensitive business logic, trade secrets or even proprietary code.

If the provider can reverse-engineer patterns from your data, competitors using the same platform may enjoy features built on your intellectual property. To address this risk, I’d recommend the following non-exhaustive approaches:

  • reserve “anonymised data” licences for narrow, specified purposes (e.g., benchmarking or error detection) with a clear prohibition on reverse-engineering;

  • carve out any datasets that may themselves be your IP (e.g., algorithms, pricing matrices, formulas); and

  • insist on disclosure rights: you are informed, in advance, of any new use cases for your data.

Negotiating middle ground here is possible. Unlimited rights rarely make sense for a customer; a time-bound, purpose-limited licence often gives providers enough runway without sacrificing your proprietary advantage.

3. Regulatory Pass-Throughs: When Someone Else’s Compliance Becomes Your Problem

I increasingly see suppliers importing their own regulatory burdens into client agreements by default. For example:

  • GDPR overreach: A European vendor pressing Australian or US customers to sign exhaustive data-processing agreements even where the GDPR has no extra-territorial bite.

  • Security of Critical Infrastructure (SOCI) “catch-all” clauses: Australian entities classified as “responsible entities” under SOCI demanding every third-party supplier, including those with zero interaction with a critical asset, accept full compliance and indemnity obligations.

A more disciplined approach is to require the supplier to map which obligations legitimately flow down and explain why, and to ensure any pass-through is tied directly to the scope of services being delivered rather than the supplier’s entire regulatory universe. Just as importantly, indemnities should be firmly rejected where they relate to obligations that do not legally apply to you. In practice, many suppliers will resist detailed mapping exercises, so a more achievable strategy could be to frame the ask as proportionality: pass through only what is legally necessary and relevant to the services, and nothing more.

Compliance frameworks should be applied surgically, not with a dragnet.

4. Unilateral System Updates: The Hidden Cost of “Evergreen” Software

Continuous deployment is the lifeblood of modern software, but unilateral update clauses can wreak havoc on a customer’s business processes. Overnight, a core workflow disappears, user interfaces shift, or integrations break.

Even minor UI tweaks can ripple through training programmes, standard operating procedures and downstream systems.

To mitigate this, clients should insist on prior written notice of any change that removes existing functionality, diminishes performance, or requires material re-configuration on their side. They should also reserve the right to defer or even refuse updates that would undermine compliance obligations or interrupt business-critical processes. And where updates fundamentally alter the service, contracts should include exit rights or service credits if the provider cannot maintain functionality that is at least “substantially similar” to what was originally agreed.

That said, most SaaS vendors will not agree to deferral rights or broad exit triggers, so a more commercially realistic compromise can be to focus on notice, consultation, and service credits as the minimum baseline.

Modern DevOps cannot stop, but it can slow down long enough for customers to adapt.

5. AI-Driven Systemic Defects: Automation’s Double-Edged Sword

Westpac’s 2019 AU$1.3 billion penalty for AML/CTF reporting failures predates today’s AI hype, yet it is a cautionary tale of what happens when automated decision-making runs unchecked. As businesses deploy machine-learning to screen transactions, underwrite loans or manage supply chains, the risk profile shifts from isolated bugs to systemic, self-replicating defects.

An AI model trained on flawed or biased data can perpetuate non-compliance at scale, triggering regulatory fines, class actions and reputational damage.

Managing this risk means going beyond standard liability allocation to build in obligations around testing, monitoring, and remediation. Contracts should include audit rights that provide access to training data sets, model documentation, and output testing, and they should allocate responsibility specifically for algorithmic performance rather than treating problems as mere “software defects.” Just as importantly, for high-risk decision points such as credit approvals, employment screening, or healthcare outcomes, human-in-the-loop safeguards should be a contractual requirement to prevent unchecked reliance on automated outputs.

Remember: algorithms do not commit misconduct in the legal sense, but their owners certainly do.

In reality, major vendors are highly unlikely to grant full access to training data or model documentation, so a pragmatic alternative is to require transparency reports, regulator-facing documentation, or audit summaries that give clients enough insight to assess and manage their compliance obligations.

6. Third-Party Components: The Liability Black Hole

Most cloud platforms are stitched together from micro-services, open-source libraries and niche APIs. Suppliers therefore insert broad disclaimers for “Third-Party Materials,” disclaiming warranty and, often, liability in toto. When those components form a mission-critical part of the service, customers risk falling into a no-remedy void.

You may have no direct contract with the third-party provider and no recourse against the primary supplier.

Most IT offerings today incorporate third-party elements—plug-ins, integrations, cloud hosting, background code. Service providers usually exclude all liability for these, leaving clients exposed if a critical function fails.

The key is to identify which third-party components are truly essential to delivering core functionality and to push the supplier to stand behind them. In practice, however, suppliers will rarely agree to full back-to-back warranties or broad indemnities. A more realistic position is to require the supplier to manage continuity proactively, provide suitable replacements, or offer service credits if a critical third party fails. For bespoke integrations, escrow or source-code access remains a valuable safety net, though again vendors often resist unless the client has real leverage. And in some cases, the most practical solution is to contract directly with the relevant third-party provider for core functionalities, rather than relying on flow-through protections.

If the third-party building block is critical, so too is the contractual backbone supporting it.

Contracting at the Speed of Innovation

Innovation loves speed; contracts do not. The art of managing IT risk lies in reconciling those instincts - giving suppliers room to iterate while ring-fencing the exposures that can sink a balance sheet or a career. By focusing on emerging issues - data harvesting, regulatory pass-throughs, unilateral updates, AI-driven defects and third-party black holes - negotiators can surface the real pressure-points before signatures hit paper.

The law will continue to evolve, but the mindset should stay constant: identify who bears which risk, quantify it, and make sure the price matches the exposure. Do that, and turbulence becomes just another part of the flight plan.

Navigating these emerging issues requires more than boilerplate clauses. If you’d like tailored advice on your next IT contract, reach out to Vlad and our team of Commercial lawyers for practical, commercial and fixed cost support. Get in touch via [email protected]

Lisa Malone
Next

Whistleblowing in Aged Care: What’s Changing from 1 November 2025