A non-disclosure agreement (NDA) — also called a confidentiality agreement — is a contract that creates a legal obligation to keep certain information private. It prevents the receiving party from disclosing or misusing information shared by the disclosing party.
NDAs are commonly used in the following situations:
An NDA creates a legal duty to protect confidential information. It can apply to employees, vendors, customers, contractors, or business partners. Without one, the disclosing party may have limited legal recourse if sensitive information is shared without permission.
Most NDAs include the following core elements:
Each element plays a specific role in making the agreement enforceable and practical. Missing or vague clauses are a common source of disputes. For a shorter reference point, see Five Things to Look for in an NDA.
What it does: Names every party bound by the agreement.
Why it matters: If a party is not named, they are not legally bound. Ambiguity about affiliates, subsidiaries, or related entities can create enforcement gaps.
What to check: Confirm full legal names and entity types. Clarify whether the agreement extends to affiliates, parent companies, or third-party subcontractors. This is also a core contract drafting issue covered in broader business agreement guidance such as 6 Tips to effectively write business contract agreements.
What it does: Identifies what information the NDA protects.
Why it matters: If the definition is too vague, it may be unenforceable. If it is too broad, it may capture information that should not be restricted.
What to check: Look for specific examples of protected information. Confirm that standard carve-outs exist for information that is already public, previously known, independently developed, or disclosed under legal compulsion. For more on drafting this section carefully, see Five Things to Look for in an NDA.
What it does: Limits how the receiving party may use the confidential information.
Why it matters: Without a defined purpose, the receiving party may argue they were entitled to use the information in ways the disclosing party never intended.
What to check: The permitted purpose should be narrow and specific. Broad language like "internal business purposes" without further definition is a common weakness. This distinction also matters when deciding between an NDA and a confidentiality agreement.
What it does: Lists the types of information that are not subject to the confidentiality obligation.
Why it matters: Standard exclusions protect the receiving party from obligations that would be unreasonable or unenforceable.
What to check: Most NDAs include exclusions for information that is:
For a clause-level breakdown of these carve-outs, see What is a Unilateral NDA? + Free Template.
What it does: Describes what the receiving party must do to protect the information.
Why it matters: Vague obligations are difficult to enforce. Specific duties create a clear standard of care.
What to check: Look for requirements to use at least the same level of care as the party uses for its own confidential information, and no less than a reasonable standard of care. Confirm whether the receiving party can share information with employees or advisors, and under what conditions. Related contract confidentiality standards are also discussed in The Complete List Of Standard Clauses To Check Before Signing A Contract.
What it does: Sets the start and end date of the NDA.
Why it matters: An agreement with no end date may be unenforceable in some jurisdictions. An agreement with too short a term may not protect information long enough to matter.
What to check: Confirm the agreement has a clear start date and a defined end date. Note whether the term refers to the duration of the relationship or the period of confidentiality obligations.
What it does: Specifies how long confidentiality obligations continue after the agreement ends or the relationship terminates.
Why it matters: Many NDAs end before the information loses its sensitivity. A survival clause extends protection beyond the formal agreement term.
What to check: Confirm that the survival period is explicitly stated. For trade secrets, some agreements include indefinite protection as long as the information qualifies as a trade secret under applicable law. Additional guidance on confidentiality periods appears in Five Things to Look for in an NDA.
What it does: Requires the receiving party to return or destroy confidential information when the agreement ends or upon request.
Why it matters: Without this clause, the receiving party may retain sensitive information indefinitely after the relationship ends.
What to check: Look for a clear process, a defined timeline, and a certification requirement confirming that destruction has occurred. Consider whether cloud storage, backups, and derivative works are addressed. Broader data handling considerations are also relevant in In-House Legal Guide to Safeguarding Company Data.
What it does: Describes the legal remedies available if the NDA is violated.
Why it matters: Without a remedies clause, the non-breaching party must rely entirely on general contract law, which may not provide fast or adequate relief.
What to check: Most NDAs include the right to seek an injunction — a court order requiring the receiving party to stop disclosing information — in addition to monetary damages. Confirm whether the agreement includes liquidated damages (a pre-agreed sum for breach) and whether those amounts are reasonable and likely enforceable. For related guidance, see What Happens if you Break an NDA? and How to Handle and Resolve Breach of Contracts.
What it does: Specifies which jurisdiction's law applies and how disputes will be resolved.
Why it matters: Governing law determines which rules apply to interpretation and enforcement. Dispute resolution terms determine whether parties go to court, arbitration, or mediation.
What to check: Confirm the governing law is stated clearly. Note whether disputes must go to arbitration (which is private and typically faster) or litigation (which is public and can be slower). Check whether the jurisdiction is convenient and reasonable for both parties. For more context, see 4 Basic Contract Terms & Conditions And How To Write Them and How to Resolve Contract Disputes.
Not all NDAs work the same way. The structure depends on how many parties are sharing information.
Key consideration: A mutual NDA is appropriate when both parties will share sensitive information. Using a unilateral NDA when both parties are disclosing creates an imbalance and may leave one party unprotected.
If you need deeper guidance on choosing structure, see What is Mutual NDA? Everything you need to know and What is a Unilateral NDA? + Free Template.
Short answer: Confirm full legal names and whether the agreement binds or protects related entities.
Why it matters: Undefined affiliate coverage can create gaps in protection or unexpected obligations.
Red flag: Broad affiliate inclusion on one side only, with no reciprocal coverage.
Short answer: The definition should be specific, with examples, not a catch-all.
Why it matters: Vague definitions are difficult to enforce and may cover information that should be freely usable.
Red flag: "All information disclosed" with no carve-outs or examples.
Short answer: The NDA should state exactly why the information is being shared and how it may be used.
Why it matters: Without a defined purpose, the receiving party has limited guidance and the disclosing party has limited protection.
Red flag: No use restriction, or a purpose so broad it is effectively unlimited.
Short answer: Confirm that information already public, previously known, independently developed, or legally compelled to disclose is excluded.
Why it matters: Without exclusions, the receiving party may be bound to protect information it already knew or that is publicly available.
Red flag: No exclusions at all, or exclusions that require the receiving party to prove the exception in writing before it applies.
Short answer: Check for a defined start date, end date, and survival period.
Why it matters: Indefinite NDAs may be unenforceable in some jurisdictions. Agreements that are too short may not protect information long enough.
Red flag: No end date, or a survival period that does not match the sensitivity of the information.
Short answer: Confirm what must be returned or deleted, when, and how compliance must be confirmed.
Why it matters: Retaining confidential information after the relationship ends creates ongoing risk for both parties.
Red flag: No return or destruction clause, or requirements that are technically impossible to fulfill (for example, requiring deletion of all backup copies with no reasonable carve-out).
Short answer: Check whether the agreement allows injunctive relief and damages, and whether any liquidated damages amounts are reasonable.
Why it matters: Disproportionate penalties may be unenforceable. Weak remedies may not deter or compensate for a breach.
Red flag: Extreme one-sided penalties, or no remedy clause at all.
Short answer: Confirm the governing law and whether it is reasonable for both parties.
Why it matters: Governing law affects interpretation, enforceability, and available remedies.
Red flag: Governing law of a jurisdiction with no connection to either party, or a jurisdiction that provides significantly weaker protection for one side.
Short answer: Confirm whether disputes go to court, arbitration, or mediation, and in which location.
Why it matters: A dispute resolution clause that requires one party to litigate in a distant jurisdiction creates practical and financial barriers to enforcement.
Red flag: Mandatory arbitration in a location that is unreasonably inconvenient for one party, or no dispute resolution clause at all.
Short answer: Check carefully for restrictions on hiring, competing, or soliciting customers that go beyond confidentiality.
Why it matters: Non-compete and non-solicit clauses are subject to different enforceability standards and are heavily restricted or unenforceable in some jurisdictions.
Red flag: Non-compete language embedded in a document presented as a simple NDA, without clear disclosure.
Short answer: Confirm whether both parties have the same obligations, or whether only one party bears the burden.
Why it matters: If both parties are sharing sensitive information, a unilateral NDA leaves one party unprotected.
Red flag: Obligations that apply only to one party in a situation where both parties are disclosing.
For a practical pre-signing walkthrough, also see How to Sign an NDA? (Best Practices + Tools).
For a broader clause-risk lens, review The Complete List Of Standard Clauses To Check Before Signing A Contract.
Use this checklist when reviewing any NDA before signing or sending for signature.
| Review Item | What to Confirm | Common Red Flag |
|---|---|---|
| Parties | Full legal names of all entities; affiliate coverage is clear | Affiliates included on one side without clarity |
| Confidential information | Specific definition with examples and carve-outs | "All information" with no exclusions |
| Permitted purpose | Narrow, stated business purpose | No use restriction or an overly broad purpose |
| Exclusions | Public domain, prior knowledge, independent development, legal compulsion | No exclusions listed |
| Confidentiality obligations | Standard of care is defined; permitted disclosees are named | Obligations are vague or unlimited |
| Agreement term | Clear start and end date | No end date; indefinite term |
| Survival period | Explicitly stated; appropriate for the type of information | No survival clause; obligations end when agreement ends |
| Return or destruction | Process, timeline, and certification are addressed | No clause; or technically impossible requirements |
| Remedies | Injunction and damages are available; penalties are proportionate | Extreme penalties; no remedies clause |
| Governing law | Jurisdiction is named and reasonable for both parties | Unrelated jurisdiction; no governing law clause |
| Dispute resolution | Method and location are clear and practical | Mandatory arbitration in inconvenient location |
| Non-compete / non-solicit | Reviewed separately; enforceability confirmed for relevant jurisdiction | Hidden non-compete language |
| Mutual vs. unilateral | Structure matches
For related general review guidance, see Contract Review Checklist 2025 and The Ultimate NDA Checklist: Draft, Review & Sign NDAs with Confidence. What Happens If an NDA Is Breached?When an NDA is breached, the non-breaching party typically has several options depending on the governing law and the terms of the agreement. Injunction: A court order requiring the receiving party to stop disclosing or using the confidential information. This is often the most urgent remedy because it prevents further harm while the dispute is resolved. Compensatory damages: Financial compensation for losses caused by the breach. These can be difficult to quantify, particularly for intangible harm such as reputational damage or lost competitive advantage. Liquidated damages: If the NDA includes a pre-agreed damages amount for breach, the non-breaching party may seek that amount without proving actual loss. Courts may reduce or refuse liquidated damages if the amount is deemed a penalty rather than a genuine pre-estimate of loss. Dispute resolution process: Most NDAs require parties to follow a defined process — mediation, arbitration, or litigation — before or instead of pursuing court action. The governing law and dispute resolution clause will determine where and how the claim proceeds. Practical consequences: A breach can damage business relationships, expose trade secrets to competitors, trigger regulatory obligations, and result in significant legal costs even if the NDA is ultimately enforced. Prevention through clear drafting and careful review is more effective than post-breach litigation. For more detail, see What Happens if you Break an NDA?, How to Handle and Resolve Breach of Contracts, and How to Resolve Contract Disputes. How Long Should an NDA Last?NDA duration depends on the type of information, the nature of the relationship, and the governing law. There is no universal standard. Agreement term vs. survival period: These are two different concepts. The agreement term is the period during which the parties are actively engaged. The survival period is how long confidentiality obligations continue after the agreement ends. Both should be explicitly stated. Common practice for general confidential information: Many NDAs set a fixed confidentiality period of two to five years. This reflects the practical reality that most business information loses its sensitivity over time. Trade secrets: Trade secrets may warrant longer or indefinite protection. Under laws such as the Defend Trade Secrets Act in the United States or equivalent legislation in other jurisdictions, trade secret protection lasts as long as the information remains secret and the owner takes reasonable steps to protect it. An NDA can reflect this by including indefinite confidentiality obligations specifically for trade secrets. Key principle: The confidentiality period should match the sensitivity and commercial value of the information. An NDA that protects routine business information for 20 years may be challenged as unreasonable. An NDA that protects a proprietary formula for only one year may not provide adequate protection. For related drafting considerations around duration and survival, see Five Things to Look for in an NDA. How to Manage NDAs EfficientlyOrganizations that regularly send, receive, and negotiate NDAs benefit from a structured management approach. Ad hoc handling increases risk and creates unnecessary delays. Use standard templates: Maintain approved NDA templates for common scenarios — employee onboarding, vendor engagement, partnership discussions, and investor meetings. Templates reduce drafting time and ensure baseline protections are always included. Build an approval workflow: Define who can approve NDAs at different risk levels. Low-risk, standard NDAs may not require legal review. NDAs with unusual terms, significant financial exposure, or non-standard clauses should go through legal or senior approval. Redline and negotiate efficiently: Use contract redlining tools to track changes, compare versions, and communicate proposed edits clearly. Redlining in a shared document reduces version confusion and speeds up negotiation cycles. Manage signatures digitally: Electronic signature workflows eliminate printing, scanning, and manual filing. They also create a clear audit trail showing when each party signed and from which device or location. Store NDAs in a searchable repository: Centralized contract storage allows teams to find active NDAs quickly, track expiry dates, and monitor survival periods. Manual filing systems make it difficult to locate agreements when a potential breach or renewal arises. Set renewal and expiry reminders: NDAs that expire without renewal may leave information unprotected. Automated reminders allow teams to review, renew, or formally terminate agreements before they lapse. For adjacent operational guidance, see How to Sign an NDA? (Best Practices + Tools), How to Track Contract Obligations, and digital-contract-management. Frequently Asked Questions About NDAsIs an NDA legally binding?Yes. An NDA is generally legally binding when it meets standard contract law requirements: offer, acceptance, consideration, and sufficiently clear terms. Enforceability depends on factors including clarity of the obligations, reasonableness of the restrictions, and the governing law. Requirements vary by jurisdiction. For related contract formation basics, see Agreement vs Contract: Definition, Differences, and Use Cases. What should be included in an NDA?Most NDAs include the parties, a definition of confidential information, permitted use, exclusions from confidentiality, the receiving party's obligations, the agreement term, a survival period, return or destruction requirements, remedies for breach, and governing law and dispute resolution terms. Can you negotiate an NDA before signing?Yes. NDAs are commonly negotiated, particularly around scope, duration, carve-outs, remedies, affiliate coverage, and permitted purpose. One-sided or unclear clauses are frequently revised before signature. Receiving a draft NDA does not mean the terms are fixed. For practical negotiation context, see Tips to Deal With Take It or Leave It Negotiation Strategy. What are common NDA red flags?Common red flags include a vague or overly broad definition of confidential information, no exclusions, an indefinite or excessively long duration, hidden non-compete language, extreme one-sided penalties, no return or destruction clause, and governing law in an unrelated or inconvenient jurisdiction. How long should an NDA last?Many NDAs set a fixed confidentiality period of two to five years for general business information. Trade secret obligations may last longer, depending on the governing law and whether the information retains its protected status. The appropriate duration depends on the sensitivity of the information and the jurisdiction. What makes an NDA unenforceable?Common reasons an NDA may be unenforceable include: overly broad restrictions that courts view as unreasonable, lack of consideration, failure to identify the parties clearly, a confidentiality period that is indefinite without justification, governing law that does not support the claimed obligations, and terms that conflict with applicable law — such as non-compete clauses in jurisdictions where they are restricted. What is the difference between a confidentiality clause and a non-compete clause?A confidentiality clause restricts the disclosure and use of specific information. A non-compete clause restricts the receiving party from working for competitors or starting a competing business. These are separate obligations with different legal standards. Non-compete enforceability varies significantly by jurisdiction and is heavily restricted in some locations. An NDA may include both, but they should be clearly separated and reviewed independently. For a related distinction, see NDA vs. Confidentiality Agreement: Which One to Choose?. ConclusionA well-drafted NDA does more than label information as confidential. It identifies the parties, defines what is protected, limits how information may be used, includes clear exclusions, sets realistic confidentiality and survival periods, addresses return or destruction obligations, and provides proportionate remedies if a breach occurs. Before signing any NDA, review the scope of the confidentiality obligation, the duration and survival period, the remedies and dispute resolution terms, and any additional restrictions such as non-compete or non-solicit language that may be embedded in the agreement. For teams managing NDAs at scale, standard templates, structured approval workflows, digital redlining, electronic signatures, and searchable contract repositories reduce review time, improve consistency, and lower the risk of agreements lapsing unnoticed. When in doubt about enforceability, jurisdiction-specific requirements, or unusual terms, seek qualified legal advice before signing. Frequently Asked QuestionsRelated content latest Navigating GDPR in EU With Legal Compliance SoftwareNavigate GDPR compliance efficiently with legal compliance software. Enhance data protection, reduce risks, and build trust using advanced regulatory compliance tools. |