Most non-disclosure agreements downloaded from the internet fall into one of two failure modes: they're so broad that a court would never enforce them, or so narrow that they leave out exactly the information you needed to protect. Here's what a properly drafted NDA actually needs — and the clauses most people skip.
An NDA that doesn't hold up when you need it is worse than no NDA at all. It gives you false confidence. You share sensitive information believing you're protected, the other party uses it inappropriately, and when you go to enforce the agreement you discover that the key clause was too vague, the definition of confidential information too broad, or the jurisdiction wrong for the dispute you're trying to bring.
This guide walks through every meaningful section of a non-disclosure agreement — what it needs to say, what it must not say, and the specific mistakes that make otherwise reasonable NDAs unenforceable.
Start with the right type of NDA
Before writing a single clause, decide what kind of NDA you actually need. There are three:
- Unilateral NDA — only one party discloses confidential information, only the other party is bound to keep it secret. Appropriate when you're sharing information with a potential service provider, contractor, or investor who has nothing to share with you in return.
- Mutual NDA — both parties may disclose confidential information and both are bound. Appropriate for partnership discussions, joint ventures, or any situation where both sides are sharing sensitive material.
- Multilateral NDA — three or more parties. Use this for consortium arrangements or multi-party negotiations. Administratively simpler than multiple bilateral agreements but harder to draft correctly.
The definition of confidential information — the most important clause
This clause determines the scope of everything. Get it wrong and either nothing is protected or the agreement is too vague to enforce. There are two approaches and both have significant tradeoffs.
The broad approach
Define confidential information as everything disclosed by one party to the other, whether in writing, orally, electronically, or by any other means, whether or not marked as confidential. This is simple to draft and catches everything — but it's potentially too broad. Courts in many jurisdictions are reluctant to enforce agreements that protect information the disclosing party couldn't reasonably have expected to keep secret.
The narrow approach
Define confidential information specifically — lists of customer names, pricing structures, technical specifications, business plans — and require that oral disclosures be confirmed in writing within a set period. This is more defensible but risks leaving gaps. If you forget to include something in the list, or fail to confirm an oral disclosure in writing, it may not be covered.
The practical middle ground
Most well-drafted NDAs use a middle approach: a broad definition combined with a reasonable person test. Confidential information means any information disclosed that a reasonable person in the circumstances would understand to be confidential, taking into account the nature of the information and the context of disclosure. This gives you breadth while maintaining enforceability.
Standard exclusions — what is never confidential
Every NDA should exclude certain categories of information from the definition of confidential. These exclusions are not concessions — they're legally necessary to make the agreement enforceable. If you resist including them, a court may interpret the entire definition as unreasonably broad and void it.
- Information that is or becomes publicly available through no fault of the receiving party
- Information the receiving party already knew before the disclosure, as evidenced by prior written records
- Information independently developed by the receiving party without reference to the confidential information
- Information received from a third party who was legally entitled to disclose it
- Information required to be disclosed by law, court order, or regulatory authority — subject to the receiving party giving notice to the disclosing party where legally permitted
That last exclusion — required disclosure — deserves careful drafting. The receiving party should be required to give the disclosing party prompt notice of any compelled disclosure so the disclosing party has an opportunity to seek a protective order. Without this, a subpoena or regulatory demand could result in your confidential information being disclosed with no opportunity to contest it.
Permitted use — the clause most people forget
An NDA that only says "keep this confidential" is incomplete. It needs to say what the receiving party is permitted to do with the information. Without this clause, there's an ambiguity about whether the receiving party can share the information internally with their own employees, advisors, or subsidiaries — even if that sharing is necessary for the purpose of the deal.
A well-drafted NDA doesn't just prevent disclosure. It defines the permitted universe of use — who can see it, for what purpose, and under what conditions.
The permitted use clause should specify the purpose for which the confidential information may be used, who within the receiving party's organization may have access (described as "need to know" personnel), and the obligation to ensure those individuals are bound by equivalent confidentiality obligations.
Duration — how long does it last?
This is one of the most negotiated provisions and also one where unreasonable positions can render an agreement unenforceable.
| Duration | Appropriate for | Risk |
|---|---|---|
| 1–2 years | General business discussions, most commercial negotiations | May not protect genuinely long-term secrets |
| 3–5 years | Technology licensing, product development, M&A due diligence | Reasonable in most jurisdictions |
| Indefinite / perpetual | Trade secrets, proprietary formulas | Courts in many jurisdictions will not enforce. Use specific trade secret protections instead. |
A common and reasonable approach is to distinguish between the confidentiality obligation during the relationship (which lasts as long as the information is genuinely confidential) and the obligation after termination (typically 2–5 years). Genuine trade secrets are better protected through specific trade secret legislation than through contractual duration provisions.
Return or destruction of information
On termination of the NDA or the underlying relationship, what happens to the confidential information? This clause should address whether the receiving party must return or destroy all materials, the timeframe for doing so (typically 30 days of written request), whether the receiving party must certify in writing that return or destruction has occurred, and the treatment of electronic copies and automated backups — most parties now include a carve-out for backup systems that cannot practically be purged.
Remedies — what happens when the NDA is breached
Confidentiality breaches are notoriously difficult to quantify as damages. By the time you've discovered the breach and quantified your loss, the competitive harm has already occurred. For this reason, most well-drafted NDAs include two specific provisions.
- Acknowledgment of irreparable harm. A clause stating that the parties acknowledge a breach would cause irreparable harm for which monetary damages would be an inadequate remedy. This language makes it easier to obtain injunctive relief on an emergency basis — often the only practically useful remedy when confidential information has been disclosed.
- Injunctive relief without bond. A provision waiving the requirement to post a bond when seeking emergency injunctive relief. In many jurisdictions, courts require a security deposit before granting emergency relief. Waiving this contractually removes a potential barrier to urgent enforcement.
Governing law and jurisdiction
Always specify which law governs the agreement and which courts have jurisdiction over disputes. For international agreements, this choice matters enormously — the enforceability of confidentiality provisions varies significantly between jurisdictions. Choose the governing law of a jurisdiction where the obligations are clear and enforcement is practical.
The clauses you can safely omit
Overly long NDAs are a problem in their own right — they take longer to review, increase the chance of negotiation on irrelevant provisions, and can obscure the genuinely important clauses.
- Non-solicitation clauses belong in employment agreements, not NDAs. If you need them, include them in a separate agreement.
- Intellectual property assignment clauses are out of scope for an NDA. An NDA protects information; it doesn't govern who owns the results of any work done with that information.
- Extensive boilerplate about entire agreement, amendments, and severability adds little in a simple NDA. One or two sentences suffice.
A practical drafting process
The most common cause of poor NDA drafting is not ignorance of the law — it's the process. Lawyers and professionals reach for a template, fill in the party names and a date, and send it without thinking through what they actually need to protect and why.
A better process takes fifteen minutes before drafting:
- What specific information am I disclosing? List it concretely.
- Who in the other party's organization needs access, and for what purpose?
- How long does this information need to stay confidential to be commercially valuable?
- What's the realistic remedy if they breach? Can I quantify the harm?
- Which jurisdiction makes enforcement practical?
The answers to these questions should drive every significant clause in your NDA. The template provides the structure; the answers provide the substance.
bbly includes an NDA template with all the clauses described in this article. Draw your sections on the canvas, fill in the details, export a clean PDF.
Open NDA template →