You have an idea, a prototype, maybe some early traction. Now you need to talk to people — potential co-founders, developers, advisors, partners. And before you share the details, you need an NDA.
But here is the problem: most founders either skip the NDA entirely ("we will just trust them") or grab a random template online and hope it covers their situation. Both approaches have serious blind spots.
I have spent a lot of time studying what makes NDAs actually enforceable versus what just looks good on paper. Here is the checklist I wish someone had given me when I started.
The startup NDA checklist
1. Define "confidential information" precisely
This is where most NDAs fail. A vague definition like "all information shared between parties" sounds comprehensive, but courts have thrown out NDAs with overly broad definitions because they are essentially unenforceable.
Your definition should include specific categories:
- Source code, algorithms, and technical architecture
- Business plans, financial projections, and pricing strategies
- Customer lists, user data, and growth metrics
- Product roadmaps and feature specifications
- Marketing strategies and competitive analyses
- Proprietary processes, formulas, or methodologies
It should also state what is NOT confidential:
- Information that is already publicly available
- Information the recipient already knew before signing
- Information received from a third party without restriction
- Information independently developed without using your confidential data
The exclusions are just as important as the inclusions. Without them, a court might view your NDA as unreasonably broad.
2. Choose the right NDA type
One-way NDA: You share information, they keep it secret. Use for contractors, freelancers, and situations where only you are disclosing.
Mutual NDA: Both parties share and protect information. Use for co-founder discussions, partnership explorations, and vendor evaluations where both sides reveal proprietary details.
Most startup conversations should use a mutual NDA. Even when you think you are the only one sharing, the other party often discloses their own proprietary information during discussions.
3. Set a realistic duration
The confidentiality obligation needs a time limit. Here is a practical framework:
- General business information (strategies, plans): 2-3 years
- Technical information (code, architecture): 3-5 years
- Trade secrets (algorithms, formulas, proprietary processes): indefinite or until the information becomes public through no fault of the recipient
Do not set everything to "indefinite." Courts are skeptical of perpetual obligations, and it makes signing feel more burdensome than necessary. Match the duration to the actual sensitivity of the information.
4. Specify what the recipient can and cannot do
An NDA should not just say "keep it secret." It should define the boundaries of use:
- The recipient can only use the information for the stated purpose (evaluating a partnership, performing contracted work, etc.)
- The recipient cannot reverse-engineer products or prototypes shared under the agreement
- The recipient must limit internal access to employees or contractors who need to know — and those people must be bound by similar confidentiality obligations
- The recipient must return or destroy all confidential materials upon request or termination
The "need to know" restriction matters more than people think. If a potential partner shares your proprietary pricing model with their entire team instead of just the two decision-makers involved, that is a problem even if none of them leak it externally.
5. Include non-solicitation if relevant
If you are sharing information with someone who could poach your team or customers, add a non-solicitation clause. This prevents the recipient from:
- Hiring your employees or contractors for a specified period
- Soliciting your customers or users using information gained under the NDA
This is especially important for partnership discussions where the other party is in an adjacent market. They might not steal your idea, but they might steal your lead developer after meeting them during technical due diligence.
6. Define remedies for breach
What happens if someone violates the NDA? Your agreement should specify:
- Injunctive relief: The right to seek a court order stopping the breach immediately, without having to prove monetary damages first
- Monetary damages: Compensation for losses caused by the breach
- Attorney's fees: The breaching party pays your legal costs
The injunctive relief clause is arguably the most important. Once confidential information is leaked, money cannot undo the damage. You need the ability to get a court order fast.
7. Choose governing law and jurisdiction
Which state's laws govern the agreement? Where would disputes be resolved?
Pick your home state. This is not just about convenience — different states have different rules about NDA enforceability. California, for example, has strong limitations on non-compete clauses that can affect NDA interpretation. New York tends to enforce reasonable NDAs more readily.
Do not leave this blank. If there is no governing law clause, a dispute could be governed by whichever state's law the court decides applies — and that might not be favorable to you.
8. Address compelled disclosure
Sometimes a recipient is legally required to disclose confidential information — by a court order, subpoena, or regulatory investigation. Your NDA should have a carve-out that:
- Permits disclosure required by law
- Requires the recipient to notify you first (so you can seek a protective order)
- Limits the disclosure to the minimum required by law
Without this clause, a recipient faces an impossible choice between breaching your NDA and violating a legal obligation. That puts your entire agreement at risk.
When NOT to use an NDA
NDAs are not always appropriate:
- Investor pitches: Most investors refuse to sign. Focus on what makes your execution unique, not protecting a raw idea.
- Job interviews: Asking candidates to sign before discussing the role creates a terrible first impression. Share only what is necessary during the interview process.
- Public information: If your product is live and your features are visible, an NDA covering that information is pointless and undermines your credibility.
- Ideas without execution: NDAs protect specific confidential information, not abstract ideas. "An app for dog walkers" is not protectable. Your proprietary matching algorithm and user acquisition data are.
Making it practical
The biggest reason startups skip NDAs is the same reason freelancers skip contracts: friction. By the time you find a template, customize it, and figure out if it covers your situation, the meeting is tomorrow and you just wing it.
I built Contract.DIY specifically to solve this problem. You answer a few questions — who is involved, what is being shared, which jurisdiction — and you get a complete NDA in minutes. It is free to create, and the NDA is tailored to your specific situation.
Whether you use a tool like ours or work with a lawyer, the important thing is that you have an NDA before you share anything sensitive. Ideas are cheap. Execution details, proprietary data, and competitive advantages are not.
Do not learn this lesson the hard way.