How to Draft an Indemnification Clause That Survives California Civil Code § 2778 in SaaS Vendor Contracts

How to Draft an Indemnification Clause That Survives California Civil Code § 2778 in SaaS Vendor Contracts

California Civil Code § 2778 supplies 7 default rules that courts read into most indemnity provisions unless your SaaS contract clearly states otherwise. For California-facing SaaS vendors and enterprise customers, these defaults can unexpectedly expand the defense duty and shift control of litigation. This article explains how to draft an indemnification clause that aligns with § 2778, limits unintended obligations, and remains enforceable.

Why California Civil Code § 2778 Matters in SaaS Indemnification

Indemnification in SaaS contracts is often negotiated like a familiar checklist: IP infringement indemnity, third-party claims, control of defense, and exclusions. In California, however, Civil Code § 2778 operates as a set of default “fill-in” rules that can expand or reshape the parties’ bargain when the clause is ambiguous—or silent—on key issues like defense obligations, the timing of payment, and settlement authority.

For attorneys drafting vendor MSAs, platform agreements, and enterprise procurement templates, § 2778 is not academic. It is frequently cited for propositions such as: an indemnity against claims can include a duty to defend; indemnity obligations can be triggered upon tender; and an indemnitor that declines to defend may be bound by a resulting judgment. The takeaway is straightforward: if you do not draft around § 2778 deliberately, California may draft around you.

Quick Map of § 2778’s Default Rules (and Where SaaS Clauses Get Burned)

Section 2778 states interpretive rules that apply “unless a contrary intention appears.” While each subdivision has nuance, SaaS disputes commonly arise around four pressure points:

1) Defense obligations can be implied

When the contract indemnifies against “claims” or “demands,” California authority often treats that as encompassing defense, not just reimbursement—particularly when read alongside § 2778’s framework. If your SaaS deal intends “indemnify” to mean reimburse after liability is established, the clause must say so.

2) Tender and timing of payment

Indemnity clauses that fail to define when the defense duty starts (e.g., upon notice, upon tender, upon filing of a complaint) invite application of § 2778’s defaults. That can result in earlier-than-expected obligations to fund counsel.

3) Control of the defense and counsel selection

If the clause does not clearly allocate control, § 2778 can support arguments that the indemnitor is entitled to control the defense (and pick counsel), or that the indemnitee can proceed independently and later seek recovery if the indemnitor fails to defend.

4) Settlements and consent

SaaS parties routinely add “no settlement without consent” language. If the settlement provision is unclear, disputes follow about whether consent was unreasonably withheld, whether the settlement triggered reimbursement obligations, and whether an indemnitor that refused the defense can later object.

Drafting Goals for a § 2778-Resilient SaaS Indemnification Clause

A clause that “survives” § 2778 is not one that ignores it—it is one that expressly states the parties’ contrary intent where the defaults would produce an unacceptable result. In SaaS vendor contracts, the most common drafting goals are:

  • Define “Indemnify” vs. “Defend” vs. “Hold Harmless” to avoid implied duties.
  • Limit indemnity to third-party claims (not first-party losses, SLA credits, or internal remediation costs) unless intended.
  • Constrain the defense duty (timing, scope, rates, counsel, forums).
  • Protect settlement authority with clear consent and “no admission/no injunctive relief” guardrails.
  • Align indemnity with limitations of liability and exclusions, without creating internal contradictions.
  • Build practical claim procedures (notice, cooperation, document retention, privilege).

Common SaaS Indemnity Structures in California (and What § 2778 Changes)

Vendor-to-customer: IP infringement indemnity (standard)

Vendors typically indemnify customers for third-party claims alleging the SaaS service infringes IP rights (copyright, trade secret, patent depending on leverage). § 2778 pressure point: if you promise to indemnify against “claims,” a defense duty may be read in unless expressly limited.

Customer-to-vendor: content/data and misuse indemnity

Customers often indemnify for claims arising from customer-provided content, regulated data, or unlawful use. § 2778 pressure point: customers may inadvertently accept a broad defense obligation with little ability to control counsel spend.

Mutual: third-party bodily injury/property damage (less common in pure SaaS)

In pure cloud software, these are typically narrow. In hybrid IoT/SaaS, they become significant and can intersect with insurance procurement obligations.

Drafting Checklist: The Clauses That Prevent § 2778 “Gap-Filling”

1) Use explicit verbs and defined terms

Do not rely on “indemnify” alone. Define:

“Defend” = provide and pay for legal defense with counsel reasonably acceptable to the indemnitee (or chosen by indemnitor, with conditions).

“Indemnify” = reimburse or pay settlements/judgments to the extent covered, subject to exclusions.

“Covered Claim” = a specifically described category of third-party claim, excluding everything else.

This is the simplest way to show the “contrary intention” that overrides § 2778 defaults.

2) State whether there is a duty to defend—and when it starts

If the parties intend a separate duty to defend, say it starts “upon receipt of written notice and tender.” If the intent is no duty to defend, say: “Indemnitor has no duty to defend; Indemnitor’s obligation is limited to reimbursement of covered amounts after final, non-appealable resolution or approved settlement.”

Be careful: some customers will reject “no duty to defend” for IP claims. A middle-ground approach is to provide a defense duty but cap rates, require use of specified counsel panels, or require cooperation to manage costs.

3) Tender mechanics and notice cure periods

Include (a) how notice is given, (b) a cure period for defective notice, and (c) a prejudice standard: late notice relieves the indemnitor only to the extent materially prejudiced. This avoids opportunistic arguments that a technical notice failure forfeited coverage, while also preserving defenses where delay truly harms the defense.

4) Control of defense with “reasonably acceptable counsel” and conflicts rules

In SaaS, control of defense is often the biggest economic lever. A California-resilient clause should address:

  • Who controls the defense (typically indemnitor) for Covered Claims.
  • Indemnitee’s right to participate at its own expense.
  • Conflicts of interest: if there is a conflict (e.g., claim seeks injunctive relief against customer operations), indemnitee may select separate counsel at indemnitor’s expense, subject to reasonableness.
  • Rate reasonableness and billing guidelines.

5) Settlement authority: consent, injunctive relief, and admissions

Add clear settlement constraints. Common protections for the indemnitee:

  • No settlement that includes an admission of fault or wrongdoing by the indemnitee.
  • No settlement imposing injunctive or equitable relief on the indemnitee (including mandated product changes, data deletion, or service shutdown) without written consent.
  • No settlement requiring payment by the indemnitee unless it consents.

For balance and enforceability, include that consent will not be unreasonably withheld or delayed (or specify objective conditions under which consent is deemed granted).

6) Define remedies for IP claims (repair/replace/workaround/refund)

California SaaS IP indemnities often include a “remedy ladder”:

  • procure right to continue use;
  • modify to be non-infringing;
  • replace with functionally equivalent service;
  • if none commercially reasonable, terminate and refund prepaid fees for the unused term.

Explicit remedies reduce uncertainty and can help prevent courts from implying broader obligations.

7) Draft tight exclusions (especially for customer data, combinations, and misuse)

Vendor IP indemnities usually exclude claims arising from: (a) customer content/data, (b) combinations with non-vendor products, (c) customer modifications, (d) use outside scope, (e) open-source introduced by customer, or (f) use of outdated versions where an update would have avoided infringement. These exclusions should be drafted as causation-based (“to the extent arising from…”) to avoid overbreadth challenges and to preserve partial coverage where appropriate.

8) Align indemnity with limitation of liability—explicitly

A common drafting failure is internal contradiction: the MSA caps “all liability,” but the indemnity section states “indemnitor will indemnify for all losses” without mentioning the cap or carve-outs. In California litigation, ambiguity invites judicial construction.

Best practice is to add a direct cross-reference: “Indemnity obligations are subject to the limitation of liability in Section X, except that [IP infringement indemnity/third-party bodily injury] is excluded from the cap.” Or, if you want the cap to apply, say so plainly.

Example: A § 2778-Conscious Indemnity Framework (Illustrative)

The following is illustrative sample language for a vendor-to-customer IP claim indemnity. It is not

Scroll to Top