NDAs get signed without anyone reading them, and most of what they say is too vague to enforce, too broad to enforce, or both. Here is what an NDA actually is, the 3 types, what every NDA must contain, and the mistakes that make them collapse in court.
.png)
Picture this. You are three weeks into early conversations with a potential acquirer. They want to see the customer churn data, the unit economics, the internal product roadmap through 2027. Your CFO sends over a 14-page mutual NDA pulled from a 2019 template. Their general counsel sends back redlines that gut the definition of Confidential Information, strip the injunctive relief clause, and quietly insert a clause that lets them retain "residuals" indefinitely. You sign it anyway because the deal looks like it could close at a 9x revenue multiple, and you do not want to be the friction. Six months later the deal collapses, and two quarters after that a competitor ships a product whose feature list looks suspiciously close to your old roadmap.
Most founders, GCs, and operators have a story that rhymes with this one. The reason is not that NDAs do not work. The reason is that most NDAs are signed without anyone actually reading what they say, and most of what they say is either too vague to enforce, too broad to enforce, or both. So let us walk through what an NDA actually is, what it can and cannot do, and what separates an NDA that holds up in court from one that just makes everyone feel better at the dinner.
NDA stands for non-disclosure agreement. It is a legal contract in which one or more parties agree to keep specified information confidential, use that information only for a defined purpose, and accept legal liability if they disclose or misuse it outside the agreed terms. The information protected is typically called "Confidential Information," and the precision of that definition is the single most important sentence in the document.
You will also hear NDAs called confidentiality agreements, CDAs (confidential disclosure agreements), or proprietary information agreements. The labels are largely interchangeable in commercial practice, although certain industries have preferences. Biotech and pharma tend to favor CDA. Tech and finance tend to use NDA. Employment counsel often uses "proprietary information and inventions assignment agreement," which combines an NDA with IP assignment and is structurally a different beast.
The point of an NDA is to convert what would otherwise be an informal trust relationship into an enforceable legal obligation. Before the NDA, if you tell a vendor your pricing model and they share it with your competitor, you may have a moral grievance but very limited legal recourse. After a properly drafted NDA, you have a breach of contract claim, and depending on the jurisdiction and facts, potentially a trade secret misappropriation claim under the federal Defend Trade Secrets Act of 2016 or your state's version of the Uniform Trade Secrets Act.
An NDA does one thing well. It creates a clear, enforceable legal obligation that the receiving party will not disclose or misuse defined Confidential Information outside the permitted scope. When that obligation is breached, the disclosing party can sue for damages, seek injunctive relief to stop further disclosure, and in some cases recover attorneys' fees if the contract provides for it.
The injunctive relief piece matters more than most people realize. Money damages for a breached NDA are notoriously hard to calculate, especially for early-stage information whose commercial value is speculative. What you actually want, in most real-world breaches, is a court order telling the breaching party to stop disclosing and to return or destroy what they have. A well-drafted NDA preserves your right to seek that relief without having to prove monetary damages first, which is often the difference between a meaningful remedy and a Pyrrhic victory.
Here is what an NDA does not do, no matter how aggressively it is drafted.
The shortest way to say this: an NDA is a contract about how you treat information, not a force field around the information itself. The contract is only as strong as your behavior around the information and the precision of what you defined as confidential in the first place.
NDAs come in three structural flavors, and choosing the wrong one is one of the most common drafting errors. The structure should reflect the actual information flow between the parties.
A mutual NDA (sometimes called a bilateral NDA or two-way NDA) is used when both parties expect to exchange Confidential Information with each other. Each party is simultaneously a Disclosing Party and a Receiving Party, and the confidentiality obligations run both ways. This is the most common form in M&A discussions, strategic partnerships, joint development arrangements, and any commercial diligence where both sides are showing each other sensitive material.
Mutual NDAs tend to get negotiated more aggressively than unilateral ones, because both parties have skin in the game. The trade-off most lawyers will accept is symmetry: if one side wants a five-year term, it applies to both; if one side wants an injunctive relief carve-out, both get it. Asymmetric mutual NDAs exist, but they are a yellow flag worth questioning.
A unilateral NDA (or one-way NDA) is used when only one party is disclosing Confidential Information and the other is receiving it. The receiving party takes on the confidentiality obligations; the disclosing party does not. Typical settings include employer-employee relationships (the employer protects trade secrets, the employee receives them), vendor onboarding (you give a contractor access to systems and data, they protect it), and investor pitches where you are showing financials but the investor has no equivalent disclosure obligation.
The leverage in a unilateral NDA usually sits with the disclosing party, which means the terms can be aggressive: long durations, broad definitions, strong remedies. The risk for the disclosing party is overreaching to the point of unenforceability, which we will return to in the mistakes section.
A multilateral NDA binds three or more parties under a single agreement. The structural advantage is administrative simplicity: instead of negotiating a web of bilateral NDAs between every pair of parties in a joint venture, you negotiate one document that binds everyone. The structural disadvantage is that the lowest-common-denominator problem becomes acute. Any term has to be acceptable to every signatory, which usually means weaker protection than a tailored bilateral agreement would provide.
Multilateral NDAs show up most often in joint ventures, consortia, multi-party R&D collaborations, and certain syndicated financing situations. If you are negotiating one, pay particular attention to whether the obligations are joint or several, and whether the agreement contemplates the addition or departure of parties without requiring full re-execution.
NDAs are reflexively requested in a lot of situations where they add no real protection and create real friction. They are also skipped in situations where they would have made a meaningful difference. Worth being precise about both.
You should have an NDA in place before disclosing any of the following.
Insisting on an NDA in the following situations is usually counterproductive, and in some communities (early-stage venture capital being the canonical example) it signals that you have not thought clearly about what is and is not actually confidential.
An NDA missing any of the following elements is either unenforceable, ambiguous, or both. This is the minimum viable structure, and the rest is variation around it.
A workable NDA template moves in roughly the following order. The order matters less than the completeness, but a predictable structure makes review faster and reduces the chance that defined terms drift between sections: Preamble; Recitals; Definitions; Confidentiality obligations; Permitted disclosures; Exclusions; Term and termination; Return or destruction; Remedies; General provisions; Signature block.
The friction in maintaining a good NDA template across an organization is rarely the first draft. It is the drift that happens as deal-specific edits get layered on, defined terms get redefined inconsistently, and the third clause from the bottom slowly becomes incompatible with the second clause from the top. This is the case for working with structured contract tools rather than free-form word processors. HERO's defined-terms management tracks every defined term across a document and flags inconsistencies before they hit a counterparty's redline. For teams that want to start from a vetted baseline, you can browse HERO's NDA templates across mutual, unilateral, and multilateral structures.
Most NDA failures cluster around a small set of drafting errors that turn up in deposition exhibits with depressing regularity.
A definition that purports to cover "any and all information disclosed by either party in any form" is the most common drafting failure. Courts in jurisdictions including Delaware, New York, and California have narrowed or refused to enforce such definitions, particularly when the receiving party can show that the breadth made it impossible to know what was actually restricted.
An NDA without the four standard exclusions (already public, independently developed, lawfully received from a third party, compelled by law) is overbroad on its face. Even if a court would read those exclusions in as a matter of law, putting them in the document avoids fights over scope at the worst possible moment.
An indefinite confidentiality obligation on ordinary commercial information has been treated by some courts as an unreasonable restraint. The defensible structure is a fixed term (three to five years is the conventional range) for general Confidential Information, with indefinite protection only for trade secrets specifically identified as such.
In situations where the receiving party will have significant personnel exposure to the Confidential Information, the absence of a residuals clause can create practical impossibility. A residuals clause permits the receiving party's personnel to use general knowledge, skills, and experience retained in unaided memory.
An NDA signed by only one party is unenforceable against the non-signing party in most jurisdictions. This happens more than it should, particularly in fast-moving deals where the disclosing party sends the document, the receiver acknowledges receipt by email, and then everyone moves on without anyone actually signing.
If the NDA does not specify when confidentiality obligations begin, you have an argument about whether information disclosed during preliminary conversations is covered. Specify the effective date.
Without a governing law clause, you litigate first about which jurisdiction's law applies, which is expensive and rarely productive. Pick a jurisdiction, ideally one with a developed body of confidentiality and trade secret case law.
Sophisticated counterparties often have multiple NDAs in place with the same vendor or partner across different deal cycles. Without explicit language about whether the new NDA supersedes the old one, you can find yourself arguing about which terms apply to which information.
Most of these mistakes survive in templates because nobody re-reads the template carefully under deal pressure. The structural fix is process: a clean baseline, a defined-terms discipline, and a workflow that flags edits against the baseline. Document workflow automation turns NDA review from artisanal craft work into something closer to engineering.
The conventional range for general business confidential information is three to five years. Five years is the most common term in mid-market commercial NDAs. Trade secrets generally warrant indefinite protection for as long as they remain trade secrets under applicable law, but the agreement should distinguish trade secrets from general Confidential Information so an indefinite term does not get applied to ordinary commercial information.
An NDA is a standalone agreement whose entire purpose is to govern confidentiality. A confidentiality clause is a provision embedded within a larger agreement (an MSA, a services agreement, an employment contract) that performs similar work for information exchanged in connection with that larger relationship. For one-off or pre-relationship disclosures, use a standalone NDA. For information exchanged in the course of an ongoing contractual relationship, the embedded confidentiality clause is usually adequate as long as it is properly drafted.
No. An NDA cannot override a valid legal obligation to disclose. If you are served with a subpoena, court order, or regulatory request, you can comply. What a well-drafted NDA can do is require you to provide prompt notice to the disclosing party so they have an opportunity to seek a protective order, and to cooperate (at the disclosing party's expense) in any such effort.
Generally yes, but with meaningful complications. Across U.S. state borders, NDAs are routinely enforced under the governing law specified in the agreement, although some states (notably California) have public-policy limits on certain employment-related confidentiality terms. Across national borders, enforcement depends on the governing law and jurisdiction clauses, applicable treaties, and whether the foreign jurisdiction will recognize and enforce a judgment from the chosen forum.
The disclosing party's first move is typically to send a cease-and-desist letter demanding that the receiving party stop the disclosure. If the breach is material and ongoing, the disclosing party can seek a temporary restraining order and preliminary injunction in court. Monetary damages may also be available. In cases involving trade secrets, the Defend Trade Secrets Act provides federal jurisdiction, the possibility of exemplary damages (up to twice actual damages) for willful and malicious misappropriation, and attorneys' fees.
For a routine bilateral NDA between two commercial parties using a vetted template, you can often handle it without involving outside counsel, provided someone internally understands what they are signing. The honest answer changes when the information at stake is highly sensitive (trade secrets, regulated data, M&A material), the counterparty is international, the deal structure is unusual, or the counterparty has redlined the document in ways you do not fully understand.
HERO is built for the way modern legal and operations teams actually work. Our structured contract editor enforces defined-terms consistency, surfaces deviations from your playbook in real time, and turns templates from static documents into reusable, auditable building blocks. Book a demo and we will show you what a clean NDA workflow looks like in practice.