Broadcom Indemnification Provisions: What You Lose and How to Negotiate Back

Indemnification provisions in Broadcom and VMware contracts decide who pays when a third party sues over the software, when intellectual property claims emerge, and when data breaches expose customers to regulatory liability. They are also among the most heavily edited clauses in any Broadcom negotiation, because Broadcom's standard indemnification language has narrowed significantly since the acquisition closed in November 2023.

This guide walks through the indemnification clauses that appear in current Broadcom subscription contracts, the legacy VMware indemnification language that customers should preserve where possible, and the negotiation positions that have produced workable indemnification structures in our recent contract work. We are an independent advisory; this guide is informed by contracts we have reviewed in audit and renewal engagements but is not legal advice.

What indemnification actually covers

An indemnification clause is a contractual allocation of risk. It identifies a specific type of loss (typically arising from third-party claims), assigns the obligation to defend and pay that loss to one party (the indemnitor), and identifies the party who receives the protection (the indemnitee). Indemnification clauses do not create liability where none exists; they allocate liability that the law would otherwise leave to the parties to negotiate after the fact.

In software contracts, three categories of indemnification appear with regularity: intellectual property indemnification (typically running from licensor to customer, covering third-party IP infringement claims based on the software); data and privacy indemnification (typically running from licensor to customer for data processing roles, but increasingly bidirectional); and general indemnification (a residual category covering miscellaneous third-party claims).

The VMware IP indemnification, pre and post acquisition

Pre-acquisition VMware MSLAs contained an intellectual property indemnification that ranked among the strongest in the enterprise software market. The clause obligated VMware to defend and indemnify the customer against any third-party claim alleging that the VMware software infringed a US patent, copyright, or trade secret. The clause included no cap on liability, no exclusion for combination claims (claims arising from the customer's combination of VMware software with other software), and a customer-favourable choice of remedy if infringement was established.

The Broadcom subscription contracts have narrowed the IP indemnification in several material ways. The indemnification is capped at the fees paid in the preceding twelve months. Combination claims are explicitly excluded. The customer's choice of remedy is replaced with a Broadcom-elected remedy, which typically permits Broadcom to either modify the software, replace the software with a non-infringing equivalent, or refund the unused portion of the subscription fee.

The practical impact is that customers who continue to operate under pre-acquisition VMware MSLAs have substantially better IP indemnification than customers who have signed Broadcom subscription contracts. The IP indemnification is, in our analysis, one of the most valuable contractual rights customers lose when converting from perpetual to subscription, and is rarely highlighted in the conversion conversation.

What to negotiate on IP indemnification

If a new Broadcom subscription contract is on the table, the negotiation positions on IP indemnification are: removal of the twelve-month cap, replacement with a multiple-of-fees cap (typically three to five times annual fees); removal of the combination claims exclusion, or narrowing the exclusion to combinations with software that competes with Broadcom; restoration of customer choice of remedy; explicit obligation to provide a non-infringing equivalent with no degradation of functionality; and an explicit obligation to defend (not merely indemnify), with customer right to counsel of choice at indemnitor expense.

Data and privacy indemnification

Data and privacy indemnification has emerged as a distinct category in the last five years, driven by GDPR, CCPA, and the proliferation of state and national data privacy regimes. The indemnification typically runs from a software vendor that processes personal data as a processor (on behalf of the customer-controller) to the customer, covering claims arising from the vendor's breach of its data processing obligations.

Broadcom's data processing obligations vary substantially by product. VMware on-premises products (vSphere, vSAN, NSX) typically do not process personal data on Broadcom's behalf and therefore generate limited data processing indemnification exposure. Broadcom-hosted services (VMware Cloud on AWS, Tanzu Mission Control, Aria Hub) do process personal data and generate substantial exposure.

The data processing indemnification in Broadcom subscription contracts is typically limited to regulatory fines and direct damages, with consequential damages excluded. Customers in jurisdictions where regulatory exposure is substantial (Europe under GDPR, California under CCPA, Brazil under LGPD) should negotiate for broader coverage including investigation costs, notification costs, and credit monitoring costs.

The data processing addendum

Most Broadcom subscription contracts include a Data Processing Addendum (DPA) that operates alongside the indemnification clause. The DPA defines the parties' respective roles (controller, processor, sub-processor), the categories of personal data processed, the sub-processors permitted, the transfer mechanisms relied on for cross-border transfers, and the audit rights customers have over Broadcom's data processing.

The DPA is frequently treated as boilerplate, but it interacts with the indemnification in ways that matter. A DPA that limits the customer's audit rights over Broadcom's data processing limits the customer's ability to establish the breach that triggers indemnification. A DPA that permits broad sub-processor changes without notice exposes the customer to data residency and transfer risks the indemnification does not necessarily cover.

Mutual indemnification provisions

Most Broadcom subscription contracts include a mutual indemnification provision under which the customer indemnifies Broadcom for claims arising from the customer's use of the software in violation of the contract, the customer's data, or the customer's combination of the software with other systems. The mutual indemnification is frequently broader than the IP indemnification flowing the other direction, and is rarely subject to a cap.

Customer-favourable negotiation on mutual indemnification focuses on three points. First, the scope of the customer's indemnification should be narrowly tied to the customer's wilful breach of the contract, not to any use that arguably exceeds entitlement. Second, the customer's indemnification should be capped at a multiple of fees paid, mirroring the cap on Broadcom's indemnification. Third, the customer's indemnification should exclude claims that arise from the software itself (which would otherwise reverse the IP indemnification flowing from Broadcom).

Indemnification in the audit context

Indemnification clauses also appear, less obviously, in the audit context. Several Broadcom MSAs include language under which the customer indemnifies Broadcom for the cost of an audit if the audit reveals under-compliance above a stated threshold. This is a contractual cost-shifting provision dressed as an indemnification, and is enforceable as such.

The cost-shifting indemnification is a routine source of leverage in audit negotiation. Customers should resist any indemnification that requires payment of Broadcom's internal audit costs (which include the auditor's salary, allocated overhead, and travel) on an unlimited basis. Reasonable negotiation positions include capping the cost-shift at a defined dollar amount, requiring the auditor to be an independent third party (rather than a Broadcom employee), and excluding any cost-shift where the under-compliance arises from a methodology dispute rather than a clear breach.

Survival of indemnification

The survival clause of an indemnification provision determines how long the indemnification continues after the contract terminates. Most Broadcom subscription contracts limit the survival of indemnification to a short tail (typically twelve months after termination), after which neither party can call on the indemnification.

This is a substantial change from pre-acquisition VMware MSLAs, which typically provided that IP indemnification survived for the longer of the licence term or any applicable limitations period. The reduced survival period exposes customers to risks that emerge after the contract has ended but originated during the contract term. Negotiating for a longer survival period (three to seven years, matching typical software warranty periods) is a sensible protection.

Where indemnification fits in the larger contract

Indemnification provisions interact with the limitation of liability clause, the insurance requirements, and the warranty disclaimers. A customer-favourable indemnification clause is undermined by a tight limitation of liability clause that caps the indemnitor's exposure at a small multiple of fees. A robust IP indemnification is undermined by an insurance clause that allows the indemnitor to satisfy its obligation by tendering an insufficient insurance policy.

The contract should be read as a whole, with the indemnification provisions, the limitation of liability, the insurance requirements, and the warranty terms negotiated as an integrated package. A bilateral cap on indemnification at a low multiple of fees, paired with an insurance requirement that ensures the indemnitor maintains adequate coverage, is generally a more workable outcome than an uncapped indemnification supported by no insurance.

The bottom line

Indemnification provisions in Broadcom contracts are weaker than pre-acquisition VMware MSLA provisions, narrower than enterprise software market standards, and frequently accepted as boilerplate by customers focused on the commercial deal. The opportunity to negotiate is real, particularly for customers whose contractual size justifies the negotiation effort. The indemnification a customer accepts on Day One is the indemnification they will live with for three to five years, and the indemnification language that survives is what protects the customer when the unexpected third-party claim arrives.

For a contractual review of indemnification language in a Broadcom proposal or an existing VMware agreement, Contact us →. We provide the licensing and commercial analysis that informs counsel's negotiation of the legal terms.