NDA complete guide: types, enforceability and what to include in every non-disclosure agreement

Mutual vs one-way NDAs, time limits, what information qualifies as confidential, and the clauses that make a non-disclosure agreement actually enforceable in court.

NDA complete guide: types, enforceability and what every agreement needs

A non-disclosure agreement (NDA) — also called a confidentiality agreement (CA) or CDA — is one of the most signed and least-read contracts in business. Most NDAs are accepted and filed without anyone checking whether they actually protect anything. This guide covers what an enforceable NDA must contain, when to use a mutual vs one-way structure, and the clauses that are most often wrong.

Legal basis for NDAs

An NDA is a binding commercial contract in all EU jurisdictions. It is governed by contract law — in Slovakia, §§ 51 and 269(2) Obchodného zákonníka; in Germany, §§ 241ff BGB; in the Czech Republic, §§ 1746(2) Občanského zákoníku. The key requirement: offer, acceptance, and consideration (typically the mutual exchange of confidential information, or the business relationship itself).

Additionally, EU trade secret law (Directive 2016/943 on the protection of undisclosed know-how and business information) provides independent statutory protection for trade secrets that are subject to reasonable confidentiality measures — including a signed NDA.

For lawyers, accountants and founders, understanding the distinction between an NDA (contractual protection) and trade secret law (statutory protection) is important — both can apply simultaneously.

Two types of NDA

One-way (unilateral) NDA

Used when only one party is disclosing confidential information — typically when a potential vendor, supplier or contractor receives sensitive business information during a sales or evaluation process.

When to use: Demos, RFP responses, proposals to a client, sharing financial projections with a potential investor who is not yet sharing anything back.

Mutual (bilateral) NDA

Used when both parties share confidential information with each other — such as in a joint-venture discussion, a co-development partnership or an M&A negotiation where both sides disclose proprietary data.

When to use: Partnership exploration, technical co-development, merger discussions, shared R&D.

Signing a mutual NDA when only one party is disclosing is unnecessarily protective of the other party and can create obligations where you have none. Match the NDA type to the actual information flow.

What counts as “confidential information”?

The definition of confidential information is the most commercially important clause in any NDA. Get it wrong and either nothing is protected, or everything disclosed by anyone is protected (which is impractical and unenforceable).

Best practice: mark-and-disclose definition

Confidential information is:

1. Information marked as confidential at the time of disclosure (or within a defined period afterwards for oral disclosures), plus
2. Information that, by its nature, a reasonable person would understand to be confidential (trade secrets, financial projections, customer lists, source code).

Standard exceptions

The following are never confidential, regardless of marking:

• Information already in the public domain (not through the receiving party’s breach).
• Information the receiving party already knew before disclosure (with documented evidence).
• Information the receiving party develops independently without using the disclosed information.
• Information received from a third party who is free to disclose it.
• Information required to be disclosed by law or regulatory order (with prior notice to the disclosing party where possible).

Key clauses every NDA must contain

1. Duration of obligation

The confidentiality obligation must have a time limit. Perpetual NDAs are generally unenforceable and impractical (people change jobs; memories fade). Typical durations:

• Trade secrets: perpetual is sometimes justified because trade secret law independently protects them.
• Commercial/business information: 2–5 years is standard.
• Technical IP in early development: 3–7 years.

The obligation duration and the agreement term are separate. An NDA might last 1 year (the term) but impose confidentiality for 3 years after it expires (the obligation).

2. Permitted disclosure (“need to know”)

The receiving party may share confidential information only with employees, contractors and advisers who:

• Need to know it for the permitted purpose.
• Are bound by equivalent confidentiality obligations.

Require the receiving party to maintain a written record of disclosures and to notify the disclosing party promptly if an unauthorised disclosure occurs.

3. Permitted purpose

Define precisely what the receiving party may use the information for. “Evaluating a potential commercial relationship” is standard. Any use outside this scope — even internal use — is a breach.

4. Residuals clause (watch out)

Many vendor NDAs include a residuals clause that allows the receiving party to use “general knowledge, skills and experience retained in unaided memory” even after the NDA ends. This effectively allows an employee who has memorised your trade secrets to use them freely once they leave. Refuse or narrow this clause whenever you see it.

5. Injunctive relief

Because money damages are often inadequate to compensate for a confidentiality breach (the harm is done the moment information is disclosed), most NDAs include a clause confirming the disclosing party’s right to seek emergency injunctive relief without first satisfying standard pre-litigation requirements.

6. Return or destruction

On termination of the agreement or on request, the receiving party must return or certifiably destroy all copies of confidential information, including digital copies. Add a certification requirement: the receiving party’s authorised officer must confirm in writing that destruction is complete.

Common NDA mistakes

| Mistake | Why it matters | |---|---| | No time limit on the obligation | Courts may refuse to enforce an indefinite obligation | | Confidential information defined too broadly (“all information exchanged”) | Makes the NDA impractical and unenforceable in some jurisdictions | | No residuals clause objection | Your product roadmap or formulas can walk out the door legally | | No return/destruction obligation | Information remains with the other party indefinitely | | Governing law not specified | Which country’s courts decide the breach — a fight before the main fight | | NDA used instead of a DPA | Personal data transfers require a Data Processing Agreement (DPA), not just an NDA |

NDA vs DPA

An NDA protects commercially confidential information from disclosure. A Data Processing Agreement (DPA) is required under GDPR when a processor handles personal data on a controller’s behalf. They serve different legal purposes. When you share personal data with a vendor, you need both.

How AI helps

zipzipdoc generates NDAs tailored to whether you need a mutual or one-way structure, with a definition of confidential information matched to your industry and information type — source code, financial data, customer lists or R&D.

Related contract types: NDA — non-disclosure agreement · Data Processing Agreement (DPA) · Service agreement

Draft your NDA — free for 14 days, no card required.

NDA enforcement: how to actually pursue a breach

An NDA is only as good as your ability to enforce it. Understanding the enforcement process before you need it — including the evidence you will need, the remedies available, and the time pressure involved — makes the difference between stopping a breach and merely documenting it.

Evidence you need to prove a breach

To enforce an NDA, you need to demonstrate:

1. A valid, signed NDA exists: the audit trail from your signing system (timestamp, OTP verification, document hash) is your foundation. A disputed signature on a paper NDA is harder to prove than a cryptographically verified electronic signature.

2. The information disclosed was confidential: evidence that the information was marked as confidential, treated as confidential, and fell within the definition in the NDA.

3. The receiving party disclosed or used it without authorisation: this is often the hardest element. Evidence may include leaked documents, competitor products incorporating your IP, witness testimony, or digital forensics (emails, messages, access logs).

4. You suffered harm (for damages claims): quantifying the loss from a confidentiality breach is difficult. Common approaches: cost of developing the compromised information, lost deal value if confidential pricing was disclosed to a competitor, or expert evidence on the commercial value of the information.

Injunctive relief: the most important remedy

In most NDA breaches, the priority is stopping further disclosure — because once confidential information is out, money damages cannot put it back. The injunctive relief clause in the NDA allows you to apply to the court for an emergency order (ex parte, without the other party present if necessary) compelling the breaching party to stop.

To succeed in an emergency injunction application, you typically need to show:

• There is a serious question to be tried (you have a credible claim)
• The balance of convenience favours granting the injunction (damages would not adequately compensate you)
• You have given an undertaking in damages (you will compensate the other party if the injunction is wrongly granted)

Speed is critical: delay in seeking an injunction suggests the harm is not as irreparable as claimed and weakens your position.

Cross-border enforcement

EU NDAs are governed by contract law, which varies by member state. The governing law and jurisdiction clauses in the NDA determine which courts handle the dispute and which law applies. Key considerations:

• Where to sue: typically your home jurisdiction or the receiving party’s home jurisdiction, depending on where enforcement of an injunction would be most effective.
• Enforcement of a judgment: an EU court judgment is enforceable across EU member states under Brussels I Regulation (recast). A judgment in one EU country against a party with assets in another EU country can be enforced without re-litigating.
• Non-EU parties: if you are sharing confidential information with a US company, ensure the NDA specifies which state’s law governs. ESIGN Act validity covers electronic signing; but enforcement requires litigation in US courts or arbitration.

NDAs for specific situations: tailoring the standard template

NDA for M&A due diligence

Mergers and acquisitions involve the most sensitive possible information: complete financial records, customer contracts, technical IP, employee data, pending litigation. The NDA for M&A due diligence requires additional provisions:

• Standstill/non-solicitation: the receiving party (potential acquirer) agrees not to approach the disclosing company’s employees or customers during or after the diligence period.
• No-use for competitive purposes: even if the deal does not proceed, the recipient cannot use what it learned to compete with the target.
• Extended duration: typically 3–5 years rather than 1–2.
• Senior officer approval for disclosures: any disclosure within the receiving party must be approved by a designated senior officer.

NDA for employee exit

When a key employee leaves, an exit NDA (or confirmation of existing obligations) reaffirms that their confidentiality obligations from the employment NDA continue post-termination. Key additions:

• Confirmation of which information they accessed and consider confidential
• Reminder of the obligation to delete or return company data
• Contact point for questions about what they may or may not use in a new role

NDA for technology licensing discussions

When exploring whether to license your technology or software, you may need to share technical details — architecture, APIs, implementation documentation — before the licence deal is agreed. The NDA should restrict use of disclosed technical information to evaluation only, and explicitly prohibit implementation, cloning, or competitive development.

Frequently asked questions

How long should an NDA’s confidentiality obligation last?

For standard business information, 2–5 years after the agreement ends is most common and most reliably enforceable. For trade secrets, a longer or indefinite period is defensible because the harm from disclosure is ongoing. Courts in most EU jurisdictions will reduce an unreasonably long obligation to a reasonable period rather than voiding the clause entirely.

Can an NDA be signed electronically?

Yes. An NDA signed with an advanced electronic signature (AdES) under eIDAS is fully binding in all 27 EU member states. The audit trail proving who signed and when is typically more reliable evidence than a scanned paper signature.

What is the difference between a one-way and mutual NDA?

A one-way (unilateral) NDA obligates only the receiving party to maintain confidentiality. A mutual NDA obligates both parties. Use a one-way NDA when only you are sharing sensitive information (e.g. before a product demo). Use a mutual NDA when both parties are sharing sensitive information (e.g. before a partnership discussion).

Can an NDA prevent someone from using knowledge they have memorised?

Not easily. The “residuals clause” problem is the hardest enforcement challenge in NDA law — courts are reluctant to restrict the use of knowledge that exists only in someone’s head. The strongest protection is to: (1) not include a residuals clause in your NDA; (2) classify trade secrets carefully so they qualify for protection under trade secret law; and (3) maintain technical and organisational secrecy measures around your most sensitive information.

What happens if someone breaches an NDA?

The disclosing party can seek: injunctive relief (court order stopping further disclosure), damages (compensation for loss caused by the breach), and — where the breach constitutes misappropriation of trade secrets — remedies under the EU Trade Secrets Directive including destruction of infringing products. A strong NDA with an injunctive relief clause is the fastest route to stopping a breach.