You're about to share your startup's financial projections with a potential investor. Or show your product roadmap to a contractor. Or discuss a possible acquisition with another company. In each case, you need the other party to keep what you share confidential, but you don't want to spend $2,000 having a lawyer draft a custom NDA.
So you download a generic NDA template from the internet. It's 12 pages of dense legalese that doesn't quite fit your situation. It talks about "proprietary information" without defining what that means for you. It has a two-year term when you need five years. It doesn't address what happens if someone leaves the company after seeing your information. And you have no idea if it's even enforceable in your state.
This guide shows you how to create NDAs that actually protect your information without paying thousands in legal fees. You'll learn when you need mutual versus one-way NDAs, what makes them enforceable, how to define confidential information properly, and what post-2025 updates matter for digital assets and AI data.
One-Way vs. Mutual NDAs
The first decision is whether you need a unilateral (one-way) or bilateral (mutual) NDA. This depends on who's sharing confidential information.
One-Way (Unilateral) NDAs
Use when only one party is disclosing confidential information to the other.
Common situations:
- Employee or contractor onboarding (company shares info, employee receives)
- Investor pitch (startup shares projections, investor receives)
- Vendor evaluation (you share requirements, vendor receives)
- Selling a business (seller shares financials, buyer receives)
In one-way NDAs, obligations are asymmetrical: the receiving party must protect information, the disclosing party has no reciprocal obligations.
One-way NDAs are faster to negotiate because there's no back-and-forth about mutual obligations.
Mutual (Bilateral) NDAs
Use when both parties will share confidential information with each other.
Common situations:
- Partnership discussions (both companies share strategies)
- Merger/acquisition negotiations (both sides do due diligence)
- Technology collaborations (both parties share technical info)
- Joint ventures (both contribute proprietary information)
In mutual NDAs, both parties are simultaneously disclosing and receiving parties, with identical obligations.
Mutual NDAs take longer to negotiate because both sides want to ensure their interests are protected equally.
How to Decide
Ask: Will both sides share information that needs protection?
If yes, mutual. If no, one-way.
Don't use mutual NDAs just to seem fair when you're the only party sharing sensitive information. It unnecessarily complicates the agreement and creates obligations you don't need.
Defining Confidential Information
This is the most important section. If you define it too broadly, everything becomes confidential and the agreement is hard to comply with. Too narrow, and you don't protect what matters.
Two Approaches
Broad Definition (Most Common)
"Confidential Information means all information disclosed by Disclosing Party, whether written, oral, electronic, or visual, that relates to Disclosing Party's business, products, services, or customers, including but not limited to technical data, trade secrets, know-how, research, product plans, services, customer lists, markets, software, developments, inventions, processes, formulas, technology, designs, drawings, engineering, hardware configuration, marketing, finances, or other business information."
Then add: "Confidential Information includes information marked 'Confidential' and information that would reasonably be understood to be confidential given its nature and the circumstances of disclosure."
This approach casts a wide net. It protects most things you'd want protected without listing everything exhaustively.
The key is the "reasonably understood" language. If you tell someone your customer list verbally, it's protected even if you didn't mark it "confidential." Context matters.
Specific Categories (When Precision Matters)
Sometimes you want to limit what's covered:
"Confidential Information means only the following information disclosed by Disclosing Party: (a) source code and technical documentation for the ABC Software platform; (b) customer lists and pricing data for enterprise customers; (c) product roadmap for 2026-2027."
Use this when you're sharing some information that needs protection but other information that doesn't, and you want to be precise about what's covered.
Marking Requirements
Should you require information to be marked "confidential" to be protected?
For written information: yes, it makes enforcement clearer. But build in flexibility for oral disclosures:
"Information disclosed in tangible form shall be marked 'Confidential.' Information disclosed orally shall be identified as confidential at the time of disclosure and confirmed in writing within 30 days, referencing the date and general subject matter."
This protects you when you discuss something confidential in a meeting and can't physically stamp it.
What to Include for Digital Assets and AI Data (Post-2025 Update)
Standard NDA templates from 2020 don't adequately cover modern data types. Add specific language:
"Confidential Information includes:
- Training data, datasets, and data models used for artificial intelligence and machine learning applications
- API keys, authentication credentials, and access tokens
- Prompts, fine-tuning parameters, and model configurations
- Digital assets including NFTs, cryptocurrency wallet information, and blockchain-related intellectual property
- Cloud infrastructure configurations and security protocols
This ensures your AI training data and digital assets are explicitly protected.
Not sure how to define confidential information for your situation?
River's AI helps you draft precise confidential information definitions tailored to your industry and specific business context—covering traditional assets and modern digital/AI data.
Define Protected InformationStandard Exclusions (What's Not Protected)
No information stays confidential forever, and some information was never confidential to begin with. Your NDA needs exclusions.
The Five Standard Exclusions
These appear in virtually every NDA and courts expect them:
1. Public Information
"Information that is or becomes publicly available through no breach of this Agreement by Receiving Party."
If you publish your product roadmap on your website, it's no longer confidential. The receiving party can't be held liable for using public information.
2. Prior Knowledge
"Information known to Receiving Party prior to disclosure by Disclosing Party, as evidenced by Receiving Party's written records."
If the receiving party already knew the information before you told them, they don't have to keep it confidential. The burden is on them to prove prior knowledge with documentation.
3. Independent Development
"Information independently developed by Receiving Party without use of or reference to Confidential Information, as evidenced by written records."
If someone figures out your process independently without using what you shared, that's not a breach. Again, they must prove it with records.
4. Third-Party Disclosure
"Information rightfully received by Receiving Party from a third party without breach of any confidentiality obligation."
If a competitor shares similar information with the receiving party (and that competitor had the right to share it), the information isn't protected under your NDA.
5. Required Disclosure
"Information required to be disclosed by law, regulation, court order, or governmental authority, provided that Receiving Party gives Disclosing Party prompt written notice and cooperates in any effort to obtain protective treatment."
You can't override legal obligations to disclose. But the receiving party must notify you so you can try to get a protective order or seal the records.
Why These Exclusions Matter
Without them, your NDA might be unenforceable. Courts won't enforce agreements that try to keep public information confidential or prevent people from using knowledge they already had.
These exclusions also make your NDA more likely to be signed. Sophisticated parties won't sign NDAs without standard exclusions because they're unreasonable.
Obligations and Use Restrictions
What exactly must the receiving party do (or not do) with your confidential information?
Core Obligations
Include at minimum:
Confidentiality: "Receiving Party shall hold Confidential Information in strict confidence."
Limited Use: "Receiving Party shall use Confidential Information solely for the purpose of [evaluating a potential business relationship / performing services under the Master Agreement / considering an investment]."
Be specific about the permitted purpose. "Evaluating a potential partnership" is clear. "Business purposes" is too vague.
Non-Disclosure: "Receiving Party shall not disclose Confidential Information to any third party except as permitted in Section [X]."
Standard of Care: "Receiving Party shall protect Confidential Information using the same degree of care it uses to protect its own confidential information, but in no event less than reasonable care."
This sets a floor (reasonable care) and a ceiling (however careful they are with their own info).
Permitted Disclosures
The receiving party needs to share information with some people (employees, contractors, advisors). Define who and under what conditions:
"Receiving Party may disclose Confidential Information to its employees, officers, directors, contractors, and professional advisors (collectively, 'Representatives') who:
- (a) have a legitimate need to know for the Purpose;
- (b) have been informed of the confidential nature; and
- (c) are bound by confidentiality obligations at least as protective as those herein.
Receiving Party is responsible for any breach by its Representatives."
This lets them function normally while keeping you protected.
Reverse Engineering Prohibition
If you're sharing prototypes, software, or physical products:
"Receiving Party shall not reverse engineer, disassemble, or decompile any prototypes, software, samples, or other tangible objects embodying Confidential Information."
Without this, they could take apart your product to learn how it works.
Residual Knowledge Provision (Careful Here)
Some agreements include "residual knowledge" clauses that say the receiving party can use information they remember without notes or documentation.
Example: "Nothing in this Agreement prevents Receiving Party's Representatives from using general skills, knowledge, and experience retained in their unaided memories."
This is a huge loophole. Avoid it unless the other party insists (sophisticated tech companies often do). If you must include it, limit it: "This provision does not apply to trade secrets or information that rises to the level of trade secret protection under applicable law."
Term, Duration, and Survival
How long does the NDA last? This has two components: the term of the agreement and how long confidentiality obligations survive.
Agreement Term
How long can information be shared under the NDA?
Options:
- Fixed term: "This Agreement shall commence on the Effective Date and continue for three (3) years."
- Terminable by either party: "This Agreement continues until terminated by either Party upon 30 days' written notice."
- Tied to relationship: "This Agreement terminates upon completion of the Project or earlier termination of the Master Services Agreement."
For ongoing relationships (vendors, employees), indefinite with termination rights makes sense. For one-time disclosures (investor pitches), a fixed short term (1-2 years) works.
Survival of Confidentiality Obligations
This is more important: how long must information stay confidential after the agreement ends?
Typical durations:
- 2-3 years: For information with short commercial life (marketing plans, pricing)
- 5 years: Standard for most business information
- Indefinite/Perpetual: For trade secrets that don't lose value over time (formulas, source code, algorithms)
Example language: "Obligations with respect to Confidential Information shall survive termination and continue for five (5) years from the date of termination, except that obligations with respect to information constituting trade secrets under applicable law shall continue for so long as such information remains a trade secret."
This gives you both: a defined period for general confidential info and indefinite protection for trade secrets.
Return or Destruction of Materials
What happens to your information when the relationship ends?
Include: "Upon termination or upon Disclosing Party's written request, Receiving Party shall either:
- (a) return to Disclosing Party all materials containing Confidential Information, including all copies, notes, and derivatives; or
- (b) certify in writing that all such materials have been destroyed.
Receiving Party may retain one copy solely for legal compliance purposes, subject to ongoing confidentiality obligations."
The "one copy for legal compliance" exception is standard and reasonable—sometimes companies must retain records for litigation holds or regulatory requirements.
Confused about enforceable terms and obligations?
River's AI guides you through creating NDAs with appropriate terms, survival periods, and obligations tailored to your information's commercial life and industry standards.
Build Your NDACommon Enforceability Pitfalls
An NDA that looks good on paper might not hold up in court if it has these problems:
Overly Broad Definitions
If your definition of confidential information is so broad it covers everything the other party sees or hears, courts may find it unreasonable.
Bad: "Confidential Information means any and all information disclosed by either party or observed during the course of the relationship."
That would make a casual comment in the hallway confidential. Too broad.
Unreasonable Duration
A 20-year confidentiality period for a short-term consulting project will raise eyebrows. Match duration to the reasonable commercial life of the information.
Missing Standard Exclusions
NDAs without the five standard exclusions (public information, prior knowledge, independent development, third-party disclosure, required disclosure) are often unenforceable.
Impermissible Restrictions (State-Specific)
California: Non-compete clauses are generally unenforceable. Even in an NDA, you can't prohibit someone from working in their field. You can protect confidential information, but you can't restrict employment.
Employee NDAs in New York: Recent laws restrict NDAs that prevent employees from discussing discrimination, harassment, or illegal conduct. Include carve-outs: "Nothing in this Agreement prevents Employee from reporting violations of law to government agencies or discussing workplace conditions as protected by law."
Non-solicitation clauses: Enforceable in most states but must be reasonable in scope and duration. "Employee shall not solicit Employer's customers for two years after termination" is likely OK. "Employee shall never contact anyone they met at Employer" is not.
Ambiguous Language
Vague terms lead to disputes. Don't write "Receiving Party shall use reasonable efforts to protect." What's reasonable? Instead: "Receiving Party shall protect Confidential Information using the same degree of care it uses for its own confidential information, but in no event less than reasonable care."
Balancing Protection with Usability
A 30-page NDA with excessive restrictions won't get signed. Sophisticated parties will redline it heavily or walk away.
What Investors Hate
If you're pitching to VCs or angel investors, they'll reject NDAs that:
- Try to cover ideas (ideas aren't protectable, only execution)
- Restrict them from investing in competitors
- Have overly long terms (investors see hundreds of pitches; they can't track 5-year obligations for each)
- Don't have residual knowledge provisions (they can't erase their memories)
Many sophisticated investors refuse to sign NDAs for initial pitches. Save NDAs for due diligence when you're sharing financials and customer data.
What Makes NDAs Signable
- Reasonable scope (protects specific information, not everything)
- Reasonable duration (matches commercial life of information)
- Standard exclusions (the five mentioned earlier)
- Clear permitted uses (they know what they can do with the info)
- No surprise restrictions (no hidden non-competes or non-solicits)
A good NDA is 3-5 pages, clearly written, and doesn't make the other party's lawyer redline half of it.
Remedies and Enforcement
What happens if someone breaches your NDA?
Equitable Relief (Essential)
Include: "Receiving Party acknowledges that breach of this Agreement will cause irreparable harm to Disclosing Party for which monetary damages alone are inadequate. Disclosing Party shall be entitled to seek injunctive relief and specific performance without posting bond, in addition to any other remedies available at law or in equity."
Why this matters: Without this language, you might have to prove monetary damages to get a court to stop the breach. With it, you can get an immediate injunction to stop further disclosure while litigation proceeds.
Attorney's Fees
Should prevailing party recover attorney's fees?
"In any action to enforce this Agreement, the prevailing party shall be entitled to recover its reasonable attorney's fees and costs."
This cuts both ways—if you sue and lose, you pay their fees. But it also discourages frivolous defenses.
Liquidated Damages (Rare)
Some NDAs specify a set amount for breaches. Generally not recommended because:
- Hard to estimate damages in advance
- May be unenforceable if amount isn't reasonable estimate of actual harm
- Caps your recovery (you can only get the specified amount, even if actual damages are higher)
Key Takeaways
NDAs protect confidential information by creating legal obligations, but only if they're properly drafted and enforceable.
Choose one-way NDAs when only you're sharing information, mutual when both parties are. Don't complicate things unnecessarily.
Define confidential information clearly but not so broadly that everything becomes confidential. Use specific categories when precision matters, broad definitions when you want comprehensive coverage.
Include the five standard exclusions (public information, prior knowledge, independent development, third-party disclosure, required disclosure). Courts expect these and won't enforce NDAs that try to protect information that was never confidential.
Match duration to the commercial life of your information. Two to five years for most business information, indefinite for true trade secrets.
Update your NDAs for 2026 reality: explicitly cover AI training data, digital assets, API credentials, and modern data types that older templates don't address.
Keep it reasonable. NDAs with excessive restrictions, unreasonable terms, or impermissible provisions (like California non-competes) won't be enforced and won't get signed in the first place.
Include injunctive relief language. Monetary damages alone don't stop ongoing breaches—you need the ability to get a court order stopping further disclosure immediately.