What to Include in an NDA: The Complete Clause-by-Clause Guide

A non-disclosure agreement is only as strong as what it covers — and what it does not. Sign a vague NDA and you have a false sense of security. Sign an overly broad one and a court may refuse to enforce it.

The difference between an NDA that protects you and one that fails when you need it most comes down to the specific clauses inside the document. This guide walks through every clause your NDA needs, explains why each matters, and shows you the common mistakes that make non-disclosure agreements unenforceable.

Why the details of your NDA matter

Most people treat NDAs as formalities — a document you sign before a meeting and never think about again. That works until someone leaks your trade secret, poaches your client list, or shares your product roadmap with a competitor.

When that happens, the NDA becomes the only document that determines whether you have legal recourse or not. And courts do not enforce NDAs based on good intentions. They enforce them based on specific, well-drafted language.

Here is what that language needs to cover.

1. Identification of the parties

Every NDA must clearly identify who is bound by the agreement. This sounds obvious, but errors here create real problems.

What to include:

• Full legal names of all parties (individuals or business entities)
• Business addresses for formal notices
• The role of each party — who is the disclosing party, the receiving party, or both (in a mutual NDA)
• If a business entity is signing, the name and title of the authorized signatory

Why it matters: If you sign an NDA with "John Smith" but John's company — a separate legal entity — is the one that actually handles your information, the NDA may not bind the company. Always identify the correct legal entity.

For freelancers and sole proprietors: If you operate under a business name (DBA), include both your legal name and the business name. This prevents any argument that the NDA only applies to you personally, not your business activities.

2. Definition of confidential information

This is the most important clause in any NDA. It determines the entire scope of protection.

What to include:

• Specific categories of protected information — trade secrets, financial data, customer lists, product specifications, business strategies, technical documentation, source code, pricing models, marketing plans
• Format coverage — written, oral, visual, electronic, or any other form of disclosure
• Marking requirements — whether confidential information must be labeled "Confidential" or whether all information shared in the context of the relationship is protected regardless of marking
• Oral disclosures — how verbally shared information is handled (typically must be confirmed in writing within a set period, such as 10 business days)

The balance to strike: Be specific enough that a court can identify what is protected, but broad enough that you do not accidentally exclude important categories. A definition that says "all information" is too vague. A definition that only lists "financial projections" leaves your customer data and technical processes unprotected.

Example of a well-drafted definition:

"Confidential Information means all non-public information disclosed by the Disclosing Party to the Receiving Party, whether orally, in writing, or electronically, including but not limited to: trade secrets, business plans, financial data, customer lists, product designs, technical specifications, marketing strategies, pricing models, and proprietary software. Information disclosed orally shall be considered Confidential Information if identified as confidential at the time of disclosure and confirmed in writing within ten (10) business days."

3. Exclusions from confidentiality

Every enforceable NDA includes carve-outs — categories of information that are not considered confidential even if they would otherwise fall within the definition. Without these exclusions, the NDA becomes unreasonably broad and may not hold up in court.

Standard exclusions:

• Publicly available information — Information that is or becomes publicly known through no fault of the receiving party
• Prior knowledge — Information the receiving party already knew before the NDA was signed (provable through documentation)
• Independent development — Information the receiving party independently develops without using or referencing the disclosing party's confidential information
• Third-party disclosure — Information received from a third party who has the legal right to disclose it
• Legally compelled disclosure — Information the receiving party is required to disclose by law, regulation, or court order (with prompt notice to the disclosing party)

Why exclusions matter: Without the "publicly available" exclusion, a receiving party could be liable for discussing information that was published in a press release. Without the "independent development" exclusion, a software company could be accused of misappropriation simply for building a feature they were already working on. These exclusions are not loopholes — they are necessary boundaries that make the NDA reasonable and enforceable.

4. Obligations of the receiving party

This clause specifies what the receiving party must — and must not — do with confidential information.

What to include:

• Non-disclosure obligation — The receiving party must not disclose confidential information to anyone except as permitted by the agreement
• Non-use restriction — The receiving party must not use confidential information for any purpose other than the stated purpose of the NDA (evaluating a business deal, performing contracted work, etc.)
• Standard of care — The level of protection required, typically "at least the same degree of care the receiving party uses to protect its own confidential information, but no less than reasonable care"
• Permitted disclosures — Who within the receiving party's organization can access the information (employees, advisors, attorneys) and whether those individuals must sign their own confidentiality agreements
• Security measures — Specific requirements for how information must be stored, transmitted, and eventually destroyed or returned

The "need to know" principle: Best practice is to limit access to individuals who genuinely need the information to fulfill the purpose of the NDA. An NDA that allows unrestricted sharing within the receiving party's organization is weaker than one that limits access to named individuals or specific departments.

5. Term and duration

The NDA needs two time periods defined: the term of the agreement itself and the survival period for confidentiality obligations.

Agreement term:

• Fixed term — The NDA is in effect for a specific period (1 year, 3 years, 5 years). Common for project-based relationships.
• Indefinite until terminated — The NDA remains in effect until one party provides written notice of termination. Common for ongoing business relationships.
• Tied to another agreement — The NDA lasts as long as the underlying relationship (employment, consulting engagement, partnership). Common as a clause within a larger service agreement.

Survival period:

This is the critical detail most people miss. The survival period determines how long confidentiality obligations continue after the NDA ends.

• Trade secrets — Survival should be indefinite or "for so long as the information remains a trade secret." Trade secret protection can last forever if the information is properly maintained, and an NDA with a fixed expiration for trade secrets weakens that protection.
• General business information — 2 to 5 years after the NDA terminates is standard
• Time-sensitive data — 1 to 2 years may be appropriate for information that becomes stale quickly (pricing data, marketing plans)

Common mistake: An NDA with a 2-year term and no survival clause means confidentiality obligations end when the agreement expires — the receiving party can freely disclose everything on day one after termination. Always include a survival clause.

6. Permitted purpose

Every NDA should define why confidential information is being shared. This limits how the receiving party can use the information.

Examples of permitted purposes:

• "For the sole purpose of evaluating a potential business partnership between the parties"
• "For the sole purpose of performing services under the Consulting Agreement dated [date]"
• "For the sole purpose of evaluating a potential investment in the Disclosing Party"

Why it matters: Without a defined purpose, the receiving party could argue they are free to use your confidential information for any reason — just not to disclose it. A strong NDA restricts both disclosure and use. If you share your customer list with a potential partner to evaluate a deal, you do not want them using that list for their own sales outreach even if they do not share it with anyone else.

7. Return or destruction of information

When the NDA ends or the purpose is fulfilled, what happens to the confidential information in the receiving party's possession?

What to include:

• Obligation to return or destroy — Upon termination or the disclosing party's request, the receiving party must return all confidential information or destroy it (including copies, notes, and derivative works)
• Certification — The receiving party must provide written certification that all materials have been returned or destroyed
• Exceptions — Information that must be retained for legal or regulatory compliance (with continued confidentiality obligations)
• Digital residue — Address backup tapes, cloud storage, and archived emails — specify whether routine backups must be purged or whether they are exempt as long as confidentiality obligations continue to apply

Practical tip: In practice, complete destruction of digital information is difficult. A reasonable clause acknowledges this reality: require destruction of all actively maintained copies while allowing retained backup copies to remain subject to confidentiality obligations until they are destroyed in the ordinary course of business.

8. Remedies for breach

What happens when someone violates the NDA? This clause defines the consequences and the disclosing party's options for enforcement.

What to include:

• Injunctive relief — A statement that breach of the NDA would cause irreparable harm that cannot be adequately compensated by monetary damages, entitling the disclosing party to seek injunctive relief (a court order to stop the breach) without posting a bond
• Monetary damages — The right to recover actual damages, including lost profits, caused by the breach
• Indemnification — The breaching party indemnifies the non-breaching party against losses, costs, and attorney fees resulting from the breach
• Liquidated damages (optional) — A pre-agreed damage amount for breach, useful when actual damages would be difficult to prove

Why injunctive relief matters: Once confidential information is disclosed, you cannot un-disclose it. Monetary damages are inadequate because the harm is already done and often unquantifiable. Injunctive relief — getting a court order to prevent further disclosure — is the most important remedy in an NDA. Make sure the clause explicitly acknowledges that breach would cause irreparable harm.

9. Governing law and dispute resolution

This clause determines which jurisdiction's laws apply and how disputes are resolved.

What to include:

• Governing law — Which state or country's laws govern the interpretation and enforcement of the NDA
• Jurisdiction and venue — Which courts have jurisdiction over disputes arising from the NDA
• Dispute resolution method — Whether disputes go to court, mediation, arbitration, or a combination (e.g., mediation first, then arbitration if unresolved)

Jurisdiction considerations: NDA enforceability varies significantly by jurisdiction. Some states have strong trade secret protections; others are more skeptical of broad confidentiality restrictions. Choose a jurisdiction whose laws favor the level of protection you need. If you operate in California, Texas, or New York, be aware of state-specific requirements that affect enforceability.

For cross-border agreements: If the parties are in different countries, governing law becomes even more important. Choose one jurisdiction — do not leave it ambiguous. Ambiguity over governing law can make enforcement dramatically more expensive and uncertain.

10. Non-solicitation clause (optional but recommended)

While not required, many NDAs include a non-solicitation clause that prevents the receiving party from using confidential information to recruit the disclosing party's employees, contractors, or customers.

What to include:

• Duration — Typically 12 to 24 months after the NDA terminates
• Scope — Define whether the restriction covers direct solicitation only or also indirect solicitation (e.g., posting a job ad that targets the disclosing party's employees)
• Covered individuals — Employees and contractors the receiving party had contact with during the NDA period

When to include it: Non-solicitation is especially important when the receiving party will have access to your team structure, compensation data, or customer relationships. Without it, a potential acquirer who decides not to complete the deal could use the due diligence information to poach your best employees or clients.

11. Notices clause

This clause defines how formal communications between the parties are delivered — an often-overlooked detail that matters when disputes arise.

What to include:

• Physical mailing addresses for each party
• Email addresses for each party
• Accepted delivery methods (certified mail, overnight courier, email with read receipt)
• When notice is considered "received" (upon delivery, upon sending, or a specified number of days after mailing)

12. Signature blocks

Every enforceable NDA must be properly signed. The signature block should include:

• Printed name of each signatory
• Title or authority of each signatory (e.g., CEO, Managing Partner, Authorized Representative)
• Date of signature
• Space for physical or electronic signature
• If signing on behalf of an entity, the entity name above the signature line

Common mistake: Having the wrong person sign. If the agreement is with a company, the signatory must have actual authority to bind the company. A junior employee signing an NDA on behalf of a corporation may not create an enforceable agreement.

Unilateral vs. mutual: which structure do you need?

The structure of your NDA depends on the direction of information flow:

| Scenario | NDA Type | Why | |----------|----------|-----| | Hiring a freelancer or contractor | Unilateral | Only you are sharing sensitive information | | Exploring a partnership or joint venture | Mutual | Both parties share confidential information | | Pitching to investors | Unilateral (if they will sign — many investors refuse NDAs) | You are disclosing business plans and financials | | Merger or acquisition due diligence | Mutual | Both parties exchange sensitive business data | | Engaging a consultant | Unilateral or mutual | Depends on whether the consultant shares proprietary methodologies | | Employee onboarding | Unilateral | The employer shares trade secrets and internal processes |

A mutual NDA uses the same clauses as a unilateral NDA but applies obligations to both parties. Both become "Disclosing Party" and "Receiving Party" depending on who shares what information.

Common mistakes that make NDAs unenforceable

Even well-intentioned NDAs fail when they contain these errors:

1. Vague definition of confidential information. If a court cannot determine what was supposed to be protected, it cannot enforce the protection. "All information" is not specific enough. List categories.

2. Missing exclusions. An NDA without standard exclusions (public information, prior knowledge, independent development) is unreasonably broad and vulnerable to challenge.

3. No survival clause. When the NDA expires, so do confidentiality obligations — unless the survival clause says otherwise. This is the single most common drafting error.

4. Unreasonable duration. A 20-year confidentiality obligation for general business information that becomes obsolete in 2 years is unlikely to be enforced as written. Match the duration to the lifespan of the information.

5. Wrong signatory. An NDA signed by someone without authority to bind the company may not be enforceable against the company.

6. No consideration. In some jurisdictions, a contract requires consideration — something of value exchanged by both parties. In a mutual NDA, the exchange of confidential information is the consideration. In a unilateral NDA, ensure there is adequate consideration (often the opportunity to evaluate a business deal, or employment/engagement itself).

7. Overly broad non-compete bundled in. Some NDAs include non-compete clauses that are too broad for the jurisdiction. If the non-compete is struck down, it can sometimes affect the enforceability of the entire NDA depending on how the agreement is drafted. Keep non-compete restrictions reasonable and include a severability clause.

Your NDA checklist

Before signing or sending any non-disclosure agreement, confirm it includes:

• [ ] Clear identification of all parties (legal names, addresses)
• [ ] Specific definition of confidential information (categories, formats)
• [ ] Standard exclusions (public info, prior knowledge, independent development)
• [ ] Receiving party obligations (non-disclosure, non-use, standard of care)
• [ ] Defined term and survival period
• [ ] Stated permitted purpose
• [ ] Return or destruction requirements
• [ ] Remedies for breach (injunctive relief, damages)
• [ ] Governing law and dispute resolution
• [ ] Proper signature blocks with authorized signatories
• [ ] Notices clause with current contact information

Create your NDA

A well-drafted NDA protects your most valuable business information — your ideas, your data, your competitive advantages. A poorly drafted one gives you a false sense of security that evaporates the moment you need enforcement.

Every clause covered in this guide exists for a reason. Skip one, and you create a gap. Draft one poorly, and you create a vulnerability. Get them all right, and you have a document that actually holds up when it matters.

Create your NDA now — jurisdiction-aware, professionally structured, and built with every clause covered in this guide.