Drafting a Nondisclosure Agreement Checklist: A Practical Checklist

The difference between a good NDA and a bad one is almost never length. It is whether the drafter understood what each clause was actually for. A recycled form that swaps in two company names creates a powerful illusion of protection — an illusion that lasts right up until the moment it matters. This checklist breaks the NDA into its load-bearing parts so you can build, or review, an agreement that a court will actually enforce.

An NDA is also one piece of a larger protection program; it works best alongside the measures in the building a trade secret protection program checklist. For the narrative deep dive, see drafting enforceable non-disclosure agreements for technology transactions; for the underlying doctrine, protection of trade secrets.

Remember what an NDA can and cannot do. It does not create property rights, does not stop independent development, and does not automatically make information a trade secret. What it does — and this is genuinely valuable — is create a contractual framework that supplements trade secret law, reaches information that would never qualify as a trade secret, and itself counts as evidence of the reasonable measures the law expects to find. Rockwell Graphic Systems, Inc. v. DEV Industries, Inc., 925 F.2d 174 (7th Cir. 1991).

Phase 1: Structure the agreement to the deal

• Choose mutual (both sides disclose and are bound) or one-way based on the actual flow of information, not bargaining power.
• Use mutual where both sides will genuinely share or the flow is uncertain; use one-way where disclosure truly runs in a single direction.
• Draft a preamble identifying the parties and a purpose clause that frames the relationship and defines the "Purpose" anchoring the use restrictions.

Why this matters. A one-way NDA loading sweeping restrictions on the recipient with no reciprocity can draw closer scrutiny (and an adhesion argument); a mutual NDA's symmetry tends to look more balanced. But forcing mutuality when one side has nothing to disclose just manufactures confusion and hands the non-discloser rights it can use as leverage.

Phase 2: Define confidential information — the heart of the agreement

• Use a layered definition: (1) information marked confidential in tangible form; (2) information disclosed orally or visually, identified as confidential at the time and confirmed in writing within a set window (commonly 30 days); and (3) information a reasonable person would understand to be confidential.
• Add, without limiting the foregoing, an enumerated list keyed to this deal (for a tech deal: source/object code, algorithms, model architectures, training data, APIs, database schemas, security architectures, roadmaps, performance data).
• Make clear the definition reaches notes, analyses, compilations, and derivatives the recipient creates from the disclosed information.
• Build an organizational habit to actually operate the marking machinery — designate who sends the post-meeting confirmation, use a template, and treat the confirmation window as a hard deadline.

Why this matters. Too narrow and valuable information sits outside the fence; too broad and a court may refuse to enforce it as indefinite. Lasership, Inc. v. Watson, 79 Va. Cir. 205 (2009), declined to enforce a definition so broad the recipient could not tell what was covered. The layered approach gives certainty plus a safety net for the live whiteboard session that nobody stamped — the single most valuable disclosure of many engagements.

Phase 3: Both covenants, exclusions, and permitted uses

• Include a non-disclosure covenant (do not reveal to third parties) AND a separate non-use covenant (use solely for the defined Purpose "and for no other purpose").
• In tech deals, add an express prohibition on using the information to reverse engineer, design around, or replicate the disclosing party's products.
• State the four standard exclusions: information (1) public at disclosure or later public through no fault of the recipient; (2) already known to the recipient per its written records; (3) independently developed without using the disclosure; and (4) rightfully received from a third party without restriction.
• Scope the Purpose precisely — broad enough to permit the real work, narrow enough that competing development falls outside.
• Add a "need to know" provision allowing disclosure only to representatives who need it, are informed of its confidential nature, are bound by at-least-as-protective obligations, and for whose breaches the recipient is responsible.

Why this matters. A pure non-disclosure covenant lets a recipient quietly use what it learned to build a competing product without ever telling anyone — the very harm the disclosing party most fears. The standard exclusions are not concessions; an NDA purporting to lock up public information overreaches in ways that can poison enforceability across the board. Ambiguity about third-party disclosure is one of the single most common sources of NDA disputes.

Phase 4: Term, survival, and the Section 1833(b) notice

• Specify two distinct periods: the term (during which information may be disclosed) and the survival period (during which obligations continue after the term).
• Use a fixed survival period (often 3–5 years) for ordinary confidential information plus a proviso that obligations as to any information that is a trade secret continue for as long as it remains a trade secret.
• Include the DTSA Section 1833(b) whistleblower-immunity notice in every agreement that binds an individual (employee or contractor), either set out directly or by express cross-reference to a policy that contains it.

Why this matters. An arbitrary cutoff on trade secret obligations does not just under-protect the secret — it hands every future defendant an argument that the company itself did not treat the information as a perpetual secret. And omitting the Section 1833(b) notice forfeits the right to recover exemplary (double) damages and attorneys' fees under the DTSA against the bound individual — 18 U.S.C. § 1833(b)(3)(C). It costs nothing to include and is almost never in recycled forms.

Phase 5: Compelled disclosure, return, and remedies

• Add a compelled-disclosure clause requiring prompt notice (where lawful), cooperation at the discloser's expense in resisting or narrowing the demand, minimal disclosure, and confidential treatment — and clarifying that a compliant compelled disclosure is not a breach.
• Add return or destruction of materials on request or termination, with officer certification, and a carve-out permitting retention required by law or routine backup provided such copies remain subject to the obligations.
• Add a remedies clause: acknowledgments that breach may cause irreparable harm for which damages are inadequate, that equitable relief may be sought without proving monetary damages, and (often) without a bond.
• Add a cumulative-remedies clause preserving trade secret, tort, and statutory claims (including DTSA seizure and exemplary damages) alongside the contract claim.
• Consider a liquidated-damages clause only where actual damages are genuinely hard to ascertain and the sum is a reasonable pre-estimate (not a penalty) — Restatement (Second) of Contracts § 356.
• Fix governing law, jurisdiction, and dispute resolution, with a "without regard to conflict-of-laws principles" tag; consider arbitration for cross-border deals (New York Convention enforceability).

Why this matters. Money damages for a confidentiality breach are notoriously hard to prove and rarely adequate — once the secret is out, no check un-rings the bell — so injunctive relief is the main event. The contractual acknowledgments speak directly to the Rule 65 factors and remove easy arguments, though courts retain discretion. The cumulative-remedies and Section 1833(b) clauses are two halves of one strategy: one makes the statutory remedies available, the other keeps the contract from throwing them away.

Phase 6: The technology industry's hard problems

• Negotiate residual knowledge carefully: if granted at all, confine it to general knowledge, skills, and experience in unaided memory, expressly excluding the specific crown-jewel technology, its parameters, methodology, and source code; control who sees the most sensitive material in the first place.
• Draft reverse-engineering restrictions to bar reverse engineering, decompilation, and disassembly "except to the extent prohibited by applicable law" (some jurisdictions grant non-waivable decompilation rights for interoperability) — Bowers v. Baystate Technologies, Inc., 320 F.3d 1317 (Fed. Cir. 2003).
• Add a security clause (safeguards no less rigorous than the recipient uses for its own comparable information and reasonable industry standards), an IP-ownership clause (no transfer, no implied license), and an open-source clause requiring consent before confidential code is combined with copyleft-licensed software.

Why this matters. A broad residuals clause can swallow the entire NDA, reducing a know-how confidentiality agreement to one that covers only paper. Reverse-engineering bans are enforceable against parties who agree to them but must be qualified to survive in interoperability-protective jurisdictions like the EU.

Common mistakes

• A non-disclosure covenant with no non-use covenant — only half an NDA.
• A fixed survival period that silently authorizes free use of trade secrets on a date the parties forgot.
• Omitting the Section 1833(b) notice and forfeiting double damages and fees.
• Deleting the standard exclusions to "capture more," which corrodes enforceability.
• A marking-only definition the company never actually operates (no confirmation emails after live technical sessions).

Primary authority

• DTSA, 18 U.S.C. §§ 1836–1839, including § 1833(b) (whistleblower-immunity notice) and § 1836(b)(3)(C)–(D) (exemplary damages and fees).
• Uniform Trade Secrets Act (adopted in every state but New York).
• Restatement (Second) of Contracts § 356 (liquidated damages); Fed. R. Civ. P. 65 (injunctions).
• Key cases: Rockwell Graphic Systems v. DEV Industries, 925 F.2d 174 (7th Cir. 1991); Lasership, Inc. v. Watson, 79 Va. Cir. 205 (2009); Bowers v. Baystate Technologies, Inc., 320 F.3d 1317 (Fed. Cir. 2003).

Related resources

• Drafting enforceable non-disclosure agreements for technology transactions
• Protection of trade secrets
• Building a trade secret protection program checklist
• Employee invention assignment agreements
• Drafting software license agreements
• Open source licensing landmines in enterprise software development
• Trade secrets in the age of remote work and cloud computing
• Trade secret protection toolkit

This checklist is for general informational purposes only and does not constitute legal advice or create an attorney-client relationship. Contract and trade secret law vary by jurisdiction and continue to evolve. Consult qualified counsel to prepare or review an NDA for your specific transaction.