Managing risk

Consider adopting these practices to limit your exposure to risk.

Avatar Photo of Patrick McKenzie
Patrick McKenzie

Patrick has built four software companies that did business internationally. He now works on Atlas at Stripe.

  1. Introduction
  2. Insurance
    1. Professional liability or errors and omissions insurance
    2. General liability insurance
    3. Risk reducers for underwriting
  3. Click-through agreements and public policies
  4. Privacy policy
  5. Refund and return policies
  6. Terms of service and terms of use
  7. Will I ever need these things?

Many entrepreneurs think that running a business is likely the riskiest thing they’ve ever done. That is probably true, at least from the perspective of financial decisions. (Business failure is unfortunate but very survivable; sports and cars both kill a much higher fraction of users.)

Risk in business is manageable. That is one major reason why firms exist as a concept; they pool a source of risk (the business enterprise) and then separate the economic upside of undertaking the risk, the liabilities associated with the risk, and the actual duties of operating the business.

Incorporation is one way that internet businesses limit risk, by capping the amount the owners or investors are exposed to; liability for debts or damages or injuries to others should not, in general, flow from the business to the owners or investors. Businesses don’t like the prospect of losing all of their assets in the event of a lawsuit, though, so there are other mechanisms as well. We’ll talk about some of them.


Insurance is a way to transfer risk from the insured to the insurance company. The insurance company does this in return for guaranteed payments (“premiums”) from a large pool of insureds. Assuming the insurance company prices the insurance correctly or invests the premiums well before paying out, they profit from offering this service while their customers trade the uncertainty of a catastrophic loss for the certainty of a predictable insurance payment.

Businesses purchase a number of types of insurance. The overwhelming majority of policies (and share of payments) is for employment-related insurance, which is discussed in more detail elsewhere. A much smaller portion is for policies that protect the company.

Professional liability or errors and omissions insurance

Companies that produce software that interacts with businesses’ data or that businesses run or that work on systems owned by clients have relatively large exposures in the event of their software malfunctioning. A software upgrade that disrupts a midsized business can cost them tens or hundreds of thousands of dollars in lost revenue; they might decide to sue to collect. A contractor who accidentally drops the production database while doing testing could be held liable for all the costs for replacing it, which could be almost unbounded.

These risks are covered by professional liability insurance, sometimes called “errors and omissions” (E&0) insurance. The mechanics of the policy are simple: Pay a small amount of money every year (generally about $1,000 to start; it scales slowly with the number of employees or revenue of the company). If you don’t get sued, nothing happens. If you do get sued, you “open a claim” (forward the relevant details) to your insurance company. Liability for claims covered by your insurance shifts from you to your insurance company, to the extent described in your policy and subject to limits and deductibles. The insurance company will typically take over responding to the suit, which will frequently result in them offering a settlement to avoid the expense of trial. (Lawsuits are expensive; nobody wants to take one through the entire process.)

Very few software companies actually get sued. Insurance companies report in regulatory filings that the risk for small software development consultancies is less than 1% per year. Most companies that deal primarily with consumers limit their liability with contracts and by offering refunds if the software is not to the customer’s liking. It is incredibly unlikely that you’ll be sued just because someone is merely unhappy with your services.

That said, if your software materially damages a customer, which is quite plausible for B2B services, a lawsuit is a distinct possibility. This is particularly true in the US, which institutionally deals with many controversies via the legal system where they would be resolved by private negotiation in other countries. (This fact sometimes surprises entrepreneurs doing business internationally.)

Additionally, because sophisticated businesses know that having you interface with their systems exposes them to the possibility of expensive remediation, they will often require, as a term of doing business with you, that you carry an insurance policy.

The policy limits for E&O policies generally start at $1 million. Buying more is relatively inexpensive—$1 million is often sufficient for companies that are just starting out. You can (and should) renew your policy yearly. Renewal time is a great opportunity to think about whether you have adequate coverage for your exposures.

Business insurance in the US is generally sold by insurance company agents, who are a combination of sales representatives and professional advisors. Unsurprisingly, since they’re paid on commission by the insurance companies, their professional advice is often that you buy more insurance from them. Your lawyer or accountant can often suggest an appropriate level given your business’s degree of exposure.

General liability insurance

Virtually every business should carry “general liability” insurance if you have a physical presence in the United States. (If you don’t, you may elect to skip this if it is not the norm in your country.) General liability insurance is sometimes sold bundled with E&O insurance.

E&O insurance insures against the risks posed uniquely by the type of work you do. General liability is more diffuse; it insures against risks posed by the physical existence of your company. For example, if you have an office, it is theoretically possible that someone could slip inside or in front of the office, resulting in your company being liable for their (perhaps substantial) medical bills. This is relatively infrequent, but general liability covers enough distinct “relatively infrequent” sources of stress to be worth the peace of mind it brings to many entrepreneurs.

In addition to accidents at your physical location, general liability might protect you from employee malfeasance, having property stolen from your business, loss in the event of a fire, or the like. The exact insured risks will be listed in your policy, so read it carefully. You’ll typically only file a general liability claim when something extremely expensive has happened. You do not want to be told, “We don’t cover that very expensive thing that happened. Didn’t you read subsection D on page 22? It clearly says that... ”

Contrary to occasional grousing, insurance companies are generally not crooks. They’re extensively regulated in the United States, and the nature of the business is very detail-oriented, more similar to programming than creative writing.

You’ll purchase your general liability insurance through an insurance agent, likely the same one who sells you your E&O line. The policy might be combined with your E&O policy or sold separately. Expect to pay only a few hundred dollars a year for this.

Risk reducers for underwriting

As part of getting an insurance policy written, you will be asked questions by the insurer’s “underwriting” department, which needs to decide whether your business has a level of risk that can be profitably insured given the premiums the insurance company wants to charge you. It’s to your advantage to know how to answer questions from an underwriter in a professional and honest manner that will get your application approved.

Helpfully, knowing the sorts of things insurance companies look for is very useful, because they’re literally in the business of figuring out what choices end badly. You can alter some operations of your business to have more positive answers to their questions, both increasing your likelihood of getting covered at lower premiums and also removing sources of risk from your business.

Here are some questions you might be asked:

Do you use written contracts for selling services? The right answer is, unsurprisingly, “Yes.” Some underwriters will drill into specifics of the contracts, such as:

  • Do the contracts have wording limiting the scope of your guarantee or warranty with regards to work?
  • Do the contracts have heightened terms for the standard of care you’re required to bring, or are you given more discretion?
  • Do the contracts have midproject checkpoints such as milestones with required sign-off from the customer, a defined payment schedule, etc.?
  • Do the contracts limit damages that you could be assessed?
  • Do the contracts envision a formal change-order process where both parties have to agree in writing to changes in scope?

These questions help underwriters see that your contract has been drafted in anticipation of it being tested by a contentious project with a client.

Do you have substantial experience in the industry? More experience is better than less experience, naturally. It is generally to your benefit to describe your experience in a way that is absolutely truthful and easily comprehensible by someone who is not an expert in your field.

Click-through agreements and public policies

Certain sorts of standard contracts are relatively non-negotiable. You’ve almost certainly agreed to one—for example, if you’ve ever accepted “Terms of Use” or signed a contract with a cell phone company.

These contracts are used when a) negotiating individualized contract terms with every customer would be counterproductive and b) when the contracts can nonetheless meaningfully limit exposure of the company to risk.

You are highly likely to have some contracts that apply generally to folks doing business with you. You will additionally have some public written policies that aren’t contracts but rather are designed to clarify certain important details about doing business with you.

Depending on what your company does, you may want to have:

  • A privacy policy
  • A refund, warranty, and return policy
  • Terms of service or terms of use

Orrick, the global tech law firm, is the legal partner for Stripe Atlas. Experts at Orrick contributed their expertise to this section (see the disclaimer at the end of this guide), and Atlas users can access a more detailed Atlas Legal Guide written by Orrick.

Privacy policy

Every internet company collects data. Big, heaping mountains of data.

Consumers want to know that you’re not going to abuse personal information you collect. More importantly, government regulators want companies to tell consumers about the company’s data practices. There are overlapping and at times conflicting laws, regulations, and guidance about privacy disclosures, some of which vary by industry or by state (not to mention all of the foreign laws), but in general, you will need to have a written privacy policy available on your website or mobile app anywhere you do business.

Companies that collect personal data or handle user data online generally have a privacy policy. You may be legally required to post a privacy policy under certain state laws or laws that apply to specific industries, or if you engage in certain activities, such as online advertising. There are a variety of counterparties, such as financial institutions and hosting providers, that would hold the nonexistence of a privacy policy against you, even if you internally had the understanding, “Well, we’re just doing the usual—no spam, Google Analytics, standard Nginx logs.” Also, if you sell to other businesses, your business customers will likely require you to post a privacy policy as a condition of doing business with you.

Privacy policies are less legal contracts and more a semistandardized way to communicate your plans about data with your customers. Having an inaccurate privacy policy may be worse in some respects than not having any at all. (Orrick, for example, has written in detail about seemingly harmless terms that were given strict scrutiny by regulators.)

The privacy policy is customarily written in nontechnical, plain language and is relatively short. Important points to cover in a US privacy policy include:

  • What information do you collect?
  • Who has access to it?
  • Under what circumstances will you release it to third parties?
  • How do you use data for advertising, including online tracking?
  • For how long do you store it?

Additional information may be required if you’re doing business wholly or partly outside of the United States, where more stringent data privacy laws may apply (e.g., the European Union).

Most internet companies do not list every single bit of information they collect but rather use representative examples, largely because customers aren’t competent to evaluate the specifics. (If you are in a highly privacy-conscious domain, such as healthcare, or if you collect children’s personal information, where there are specific regulations, the specifics matter quite a bit and are outside the scope of this guide.)

If you don’t have a privacy policy ready, think about what information you collect, organize your thoughts internally, then adopt a prewritten privacy policy and customize it to make sure that it is accurate to the operations of your business, working with your lawyer where necessary. Automattic, the makers of WordPress, have generously released their privacy policy under a permissive license, so that you can make light edits to it and have a reasonably sane policy ready almost immediately.

As always for contract-like documents, if you have any questions, ask a lawyer.

Refund and return policies

When ecommerce first started, people were terrified about sending money over the internet. What if the goods weren’t exactly to their liking? What if the 20 kB GIF didn’t show the color of the dress accurately? What if? What if? What if?

Refund policies are a great way to preemptively answer “What if?” in a way that increases your conversion rates, minimizes unhappy customers, and streamlines your operations. If you take payments online, your payments processor will require that you have a refund policy posted prominently; it is generally to your advantage to have it visible near the point of checkout because some customers will look.

In general, most internet businesses choose to be extraordinarily generous with refunds. This is particularly true of IP-based businesses that have relatively little hard costs for providing their goods and services, such as software or SaaS companies.

Many software companies would have the following as their full refund policy. (Feel free to use or adapt it, if you want.)

Refund Policy 

We want you to be thrilled with your purchase. If it isn’t satisfactory for any reason, we will happily refund the entire purchase price for up to 30 days after your purchase.

Refund policies for ecommerce companies are generally a little more complicated, particularly around returns of tangible goods, like clothing or other consumer products.

You should mention what the process is for requesting a return, where the returned item should be mailed to, whether the item can be returned if used, what the timelines are, who absorbs costs for shipping (and return shipping), etc.

One might wonder, “Why are even the most generous refund policies often time limited?” This is something your accountant will probably demand from you; an unlimited refund policy greatly complicates when you’re allowed to recognize revenue. Many companies will officially say that they only process refunds within the first 30 or 60 days while they (unofficially or semi-officially) actually will refund any purchase ever made, even years after the fact.

In some countries it is a legal requirement that the refund period extend from receipt of a product or performance of a service, not from the transaction date, in the case where the transaction occurs before the receipt. There may also be requirements that the refund period last at least a certain amount of time (e.g., 90 days). In general, one can simply adopt the most generous term; tightening your refund language is rarely the point of most leverage in your business.

Terms of service and terms of use

Most websites operated commercially and all web applications will have a terms of use. (These are sometimes called “terms of service,” abbreviated ToU or ToS.)

They range from informal descriptions of what constitutes acceptable use of the site (often including terms like “no spamming,” “no uploading viruses,” and “no threats of violence”) to, for applications, full contracts specifying payment terms, limitation of liability, and more.

Many companies who do not directly charge for their website choose to publish a more informal terms of use. If you take sign-ups to your site, you can require that customers accept the terms of use by checking a box during sign-up. Record the date and time of the acceptance, in case you are asked about it later.

If you are selling software or software as a service, your terms of use is probably a full-fledged contract, though a short one. A lawyer can draft one for you, but this is probably unnecessary unless your software operates in a market that is likely to require a high degree of attention to compliance or liability concerns. (Healthcare, financial services, and the like come to mind—ask your lawyer if you’re curious.)

If you’re producing software for consumers or smaller businesses, you can probably adapt Automattic’s permissively licensed Terms of Service from their WordPress product. This will take you only a few minutes. Force customers to agree to it via a checkbox when signing up for your service, and record the time when the consent was given.

Will I ever need these things?

You may never find your policies tested in a court of law.

Having the policies is widely used as a check by businesses and regulators for whether you’re operating your business in a professional fashion.

You will likely not be approved by a financial institution to accept payments unless you have a ToS, refund policy, and returns policy (if you ship tangible goods).

For example, in the event of a chargeback filed against a purchase for your software, you can expect to lose almost automatically if the issuing bank says, “The customer says they didn’t agree to pay. Do you have a contract?” And your only answer is, “Well, they signed up for an account.” The right answer is, “Bob Smith signed up for an account on March 23. He affirmatively accepted our terms of service, a copy of which I’ve attached. The terms of service explicitly state that customers are obligated to pay for the service.”

You’ll still lose some chargebacks, even when you’ve documented everything correctly, but doing everything correctly gives you a chance.

Companies can benefit from the practice of drafting a privacy policy, as it forces you to think critically about your data practices, understand the regulatory landscape (which can involve some weird—and costly—rules and regulations), and establish policies and procedures that will benefit your company in the long term. Establishing good privacy practices from the get-go helps to ensure you maximize the value of your data assets, avoid regulatory pitfalls, and mitigate the risks (and consequences) of a data breach.

Getting minimally compliant with these policies can usually be done quickly and efficiently, particularly in light of the benefits. You will need to review and update these policies (particularly your privacy policy) as your business changes and grows and can expect to do a deeper dive in the future when you have more resources. With that said, depending on where you’re doing business and what your business is, these documents may need to be changed more often. For example, if your business involves handling data provided by kids, then there’s a patchwork of different state laws that currently apply, and the regulatory landscape is constantly changing. If your business is a subscription service, various states have (and others may adopt) laws that require you to put certain additional disclaimers in your terms of use regarding automatic renewals.

Disclaimer: This guide is not intended to and does not constitute legal or tax advice, recommendations, mediation, or counseling under any circumstance. This guide and your use thereof does not create an attorney-client relationship with Stripe, Orrick, or PwC. The guide solely represents the thoughts of the author and is neither endorsed by nor does it necessarily reflect Orrick’s belief. Orrick does not warrant or guarantee the accurateness, completeness, adequacy, or currency of the information in the guide. You should seek the advice of a competent attorney or accountant licensed to practice in your jurisdiction for advice on your particular problem.

Ready to get started?

Create an account and start accepting payments – no contracts or banking details required. Or, contact us to design a custom package for your business.