Indemnities are a very important part of every of every software license and technology agreement. Essentially there are a number of risks in most technology contracts that realistically, only the other party is positioned to manage. Some examples include questioning: (i) if your software licensor has all of the appropriate rights necessary to lawfully grant you a license; and (ii) has the software consulting firms implemented appropriate agreements with their staff to ensure those consultants are not considered your statutory employee for the purposes of employee withholding taxes, and who is for defending claims from 3rd parties that contest either of those facts? Here is a common Indemnity contractual framework:

1.) Some indemnities are just made to the other legal entity; i.e. from the vendor to the customer. However, it is not uncommon for the customer requesting the indemnity to name Customer officers, directors and employees or by job title and directors that will be protected under the indemnity.

2.) Some indemnities include a set of prescribed remedies, like an IP Infringement claim. The vendor might state they have the option to secure a license to the infringing work, replace it with non-infringing work, or if those remedies are not practical, then provide the customer with a refund (sometimes a depreciated value refund, as an infringement could come years later.) In some custom software development contexts, the customer might qualify the vendor’s right to replace the infringing work with products that do not materially degrade the performance or functionality of the original work.

3.) Many indemnity provisions make the indemnity protection conditioned upon: (i). prompt notice of the demand or claim; (ii) the vendor’s control over the defense or settlement of the action or claim; and (iii) the customers cooperation, as requested by the vendor, in the defense or settlement of the claim. This makes sense, given that an effective defense is generally dependent upon these elements.

NOTE: Some entities (generally larger entities) when they are being indemnified stipulate: (i) that they may participate in the defense at their own cost; (ii) in some cases, if the indemnified party does not promptly notify the other party (indemnifier) of the claim, they reserve the right to conduct the expense themselves in which case the indemnifier will be responsible for the cost of that defense and judgment.

Often an IP indemnity will exclude actions based upon public domain data; or infringement claims based upon Customer provided data (remember the Customer must remain liable for getting appropriate consents for the Customer provided data, the vendor is not positioned in the document flow to do that directly). This makes sense because Public Domain data is available to everyone, but it is not provided with an indemnity, so if it does not come to the vendor with an indemnity they would be accepting a blind risk if they then offered an indemnity on that public domain data to their customer.

Under common law (US and the UK), each party is expected to pay their own legal fees and expenses. In some instances, you may provide that the winner of an action is entitled to recoup legal fees (particularly in family law divorce cases), but that is the exception. In Europe and many other geographies that have a civil law system based upon the European model, that presumption at law is reversed and the winner of a legal dispute is ordinarily entitled to recoup his legal costs and expenses. The thought behind the common law requiring each party to pay their own legal fees, is that it would create a “chilling effect” when a smaller party had a valid claim but was intimidated into not pursuing their rights for fear they might need to pay for the other parties legal fees, if they fail to win their argument.

Many indemnity provisions state that the indemnity is an exclusive remedy simply because it is rather extraordinary in scope and it reverses the general legal assumption that everyone pays their own costs. So, you generally reserve an extraordinary remedy for an extraordinary claim, rather than for just a simple breach. Often indemnities are provided for things like an IP infringement breach; sometimes a breach of confidentiality; and now it is not uncommon for an indemnity to include a breach of privacy obligations and security obligations. In the day and age of GDPR, it is particularly important that the party gathering and collecting the data does also secures the proper consent from the data subject for the use of that Personally Identifiable Information (PII) data for that specific purpose. If that is not done properly, the  use of that data may be subject to significant fines. Under the EU General Data Protection Regulation  the vendor would likely be considered a Processor and they would be subject to significant fines from the local country’s Supervisory Authority as well as other claims directly from the Data Subject. The reason for requesting the indemnity is simple; you are relying upon the party that selects, gathers and transmits that PII data to secure appropriate authorization; to advise theme what PII they are collecting and what purposes that PII will be used for. If these obligations are not properly complied with by the party providing the PII data to you (your supplier or vendor), you cannot protect yourself from these GDPR claims, so an indemnity from the only party that can control that risk is sensible.