A super-cap is a second, higher liability ceiling that applies to a named category of risk above the standard limitation of liability. The structure looks like this: general liability is capped at one year of fees, but liability for data breach is capped at three years of fees, and IP indemnity is uncapped (or capped at five years of fees). Each tier represents a different judgment about how much exposure the parties are willing to accept for that category.
Super-caps came into wider use as enterprise customers stopped accepting fully uncapped IP indemnity from larger vendors and as data breach liability became a separately negotiated risk. They give the parties a middle ground between "capped at one year of fees" (which a buyer often finds insufficient for a real data incident) and "uncapped" (which a vendor's insurer often will not cover).
The clauses that typically get a super-cap are: IP infringement indemnity, breach of confidentiality, breach of data security obligations, and AI-specific indemnities (especially around training-data infringement and harmful outputs). Some contracts also super-cap fraud and willful misconduct, though those are more often left uncapped.
In drafting, the super-cap number needs to match the vendor's insurance program. If the cyber insurance policy covers up to $10 million per claim, the super-cap on data breach should not exceed that figure unless the vendor is willing to self-insure the difference. Caps disconnected from insurance are negotiation chips that can become balance-sheet events when a real claim hits.