Software audit indemnities in purchase agreements are the mechanism that turns a diligence finding into recoverable money, and they are worth getting right because a warranty alone rarely does the job for a known exposure. When an independent license review identifies a specific shortfall, a pending publisher review, or a consent that was never obtained, the buyer needs more than a promise that the estate was compliant. It needs a targeted commitment that the seller will pay if the identified risk crystallises. That is what an indemnity provides, and how it is scoped, capped, and secured decides whether the buyer actually recovers when the publisher's claim lands. This page sets out how to build one, as a child of the cluster on M&A software audit risk.
Software audit indemnities in purchase agreements versus warranties
The starting point is understanding why an indemnity, not a warranty, is the right tool for a known exposure. A warranty is a statement of fact that, if false, gives the buyer a damages claim. To recover, the buyer must show the statement was untrue, that it suffered loss, and that the loss flowed from the breach, all subject to knowledge qualifiers, materiality thresholds, and disclosure. That is a reasonable structure for risks no one knew about. It is a poor structure for a risk the diligence has already found, because the seller will argue the issue was disclosed or known and therefore not a breach. An indemnity sidesteps this by directly promising to reimburse a defined loss if a defined event occurs, regardless of whether anyone breached anything. For a quantified software audit exposure, that directness is decisive, and it is why the indemnity should be drawn specifically from what the review measured, the same alignment that drives the warranties described in reps and warranties for software audit exposure.
Scope the indemnity to the whole exposure
An indemnity is only as good as its scope, and the most common failure is scoping it too narrowly. A software audit indemnity should name the publishers and products the diligence identified, but it should also cover the full shape of a publisher claim, not just the bare license shortfall. That means it must reach back maintenance for the years the gap existed, penalties or interest, the cost of any forced forward subscription, and the reasonable cost of defending the audit itself. A publisher claim compounds through exactly these layers, so an indemnity that covers only the headline license figure leaves the buyer exposed to most of the actual loss. The scope should follow the way the exposure was quantified, which is why the indemnity and the measurement have to be built together. The compounding the indemnity must reach is set out in how latent under licensing becomes an eight figure claim.
Resist general caps and baskets on a specific risk
Purchase agreements limit the seller's liability through caps, which set a ceiling on total claims, and baskets, which act as a deductible below which no claim can be made. These are appropriate for the broad universe of unknown warranty risks, where they protect the seller from trivial or speculative claims. They are not appropriate for a specific, quantified software audit exposure that the diligence has already identified. A known risk worth a defined amount should ideally be covered in full, outside the general liability cap and without a basket, because the loss is real and measured rather than hypothetical. A seller will naturally try to fold the indemnity inside the general limitations, and a buyer that allows this can find its recovery capped well below the exposure or eliminated by the deductible. Separating the specific indemnity from the general regime is a core negotiating point, and the buyer's leverage to win it comes from having quantified the exposure precisely. The way structure affects which protections are available is set out in audit risk in stock versus asset deals.
| Element | Weak version | Strong version |
|---|---|---|
| Scope | License shortfall only | Shortfall, maintenance, penalties, defense |
| Cap | Inside general liability cap | Separate, sized to the exposure |
| Basket | Subject to general deductible | No deductible for the known risk |
| Survival | Same as general warranties | Extended to the audit timeline |
| Security | Unsecured promise to pay | Escrow or holdback set aside |
Key takeaways
- An indemnity directly reimburses an identified, measured exposure without the buyer proving breach and loss.
- Scope must reach the whole claim: shortfall, back maintenance, penalties, forced subscription, and defense cost.
- A known software audit risk should sit outside the general cap and basket, covered in full.
- The survival period must extend to the realistic audit timeline, often longer than general warranties.
- An unsecured indemnity is worth little if the seller cannot pay, so back it with escrow or a holdback.
Secure the indemnity against a seller that cannot pay
An indemnity is a promise, and a promise is only as good as the party making it. After a deal closes, sellers frequently distribute the proceeds, wind down, or simply cease to have the assets to satisfy a later claim. A buyer that wins a perfectly drafted indemnity and then cannot collect on it has gained nothing. The answer is to secure the indemnity, most commonly through escrow or a holdback, where part of the consideration is retained by a third party or withheld for a defined period and released only once the indemnity risk has passed. The amount and duration of the escrow should reflect the quantified exposure and the audit timeline, so the funds are still in place when a publisher claim could arise. Securing the indemnity is what converts a contractual right into a reliable recovery, and the mechanics of doing so are set out in escrow and holdbacks for software licensing risk.
Use the indemnity to shape the settlement
A well built indemnity does more than fund a recovery, it shapes how the eventual audit is handled. Because the seller is on the hook for the loss, the buyer and seller share an interest in keeping the publisher claim as low as possible, which can align them in the defense. The indemnity should set out who controls the conduct of an audit defense, how settlement decisions are made, and how the buyer's reasonable defense costs are reimbursed, so that when a notice arrives the parties are not arguing about process on top of substance. A buyer that has thought this through can run the defense efficiently, draw on the indemnity to fund it, and settle the back exposure at a defensible number, the approach set out in negotiating an audit settlement post acquisition. The legal drafting is for counsel, but the commercial logic comes from the licensing analysis that quantified the risk in the first place.
Recommendations for buyers
- Use an indemnity for known risk. Cover quantified exposure directly rather than relying on a warranty claim.
- Scope to the whole claim. Include back maintenance, penalties, forced subscription, and defense cost, not just the shortfall.
- Keep it outside the general limits. Resist folding a specific exposure into the general cap and basket.
- Extend the survival period. Match it to the realistic timeline for a publisher claim to surface.
- Secure it with escrow. Retain consideration so the recovery is reliable when the exposure crystallises.
Defining the trigger and the conduct provisions
Two operational details decide whether an indemnity functions smoothly when an audit actually arrives: the trigger and the conduct provisions. The trigger defines what event entitles the buyer to claim, and it should be drawn broadly enough to capture the realistic ways exposure surfaces, a formal audit notice, a publisher compliance demand, a settlement the buyer reasonably agrees, not so narrowly that only a final judgment counts. A narrow trigger can leave a buyer unable to claim for a sensible commercial settlement simply because the matter never reached a formal finding. The conduct provisions decide who runs the defense and who controls a settlement. Because the seller is funding the loss, it will want a say, but the buyer must continue to operate the software and maintain the publisher relationship, so it usually needs to retain control of the conduct while keeping the seller informed and bearing the cost. Getting this balance wrong produces a standoff at the worst possible moment, when a publisher claim is live and the parties are arguing about who decides. A buyer that defines the trigger and the conduct terms clearly at signing converts the indemnity from a theoretical backstop into a working mechanism, ready to fund and govern the defense the moment a notice arrives. The legal drafting is for counsel, but the commercial logic comes from the licensing analysis that quantified the exposure.
Software audit indemnities in purchase agreements, in one line
Software audit indemnities in purchase agreements turn a diligence finding into recoverable money, but only when they are built correctly. Use an indemnity rather than a warranty for known risk, scope it to the whole compounded claim, keep it outside the general cap and basket, extend the survival period to the audit timeline, and secure it with escrow. A buyer that does this recovers the inherited exposure from the seller. We translate the quantified finding into that protection on the buyer side only, paid solely by the acquirer.