Drafting Enforceable Non-Disclosure Agreements for Technology Transactions

The Most Common Contract Nobody Reads Carefully

Somewhere right now, two companies are about to share secrets, and the only thing standing between them and disaster is a document neither of them is reading. Someone pulled an NDA off a shared drive, swapped in two company names, and emailed it over with the subject line "standard, just sign." Both sides signed. Both sides felt protected. At least one of them is wrong.

The non-disclosure agreement occupies a strange place in commercial life. It is everywhere—signed reflexively before exploratory talks, due diligence, partnership pitches, vendor demos, employment, and a hundred other moments when confidential information might change hands. And precisely because it is everywhere, it has bred a kind of institutional carelessness: boilerplate copied without thought, definitions recycled without adapting them to the deal, essential terms muddled or left out entirely. The result is that a great many NDAs protect far less than the parties believe, and some collapse completely when a court finally looks at them. The signature at the bottom creates a powerful illusion of safety. The illusion lasts right up until the moment it matters.

To make the stakes concrete, follow Lumen Robotics, a fictional startup whose entire value lies in a perception algorithm that lets warehouse robots identify and grasp irregularly shaped objects—the unglamorous problem that has frustrated automation for decades. Lumen is about to open talks with Crane Industrial, a large equipment maker, about integrating Lumen's technology into Crane's products. To have a real conversation, Lumen must show Crane its architecture, some of its source code, and its performance data—the crown jewels. The only thing between "productive partnership discussion" and "we just handed our biggest potential competitor the company" is the NDA. If that NDA is well drafted, Lumen can speak freely and stay protected. If it is the usual recycled boilerplate, Lumen may discover, far too late, that the document it trusted was theater.

This guide works through the NDA systematically, provision by provision, explaining what each is for, where drafters stumble, and what language courts have generally enforced—keeping Lumen's deal in view throughout, and paying special attention to the technology problems that generic NDAs handle badly. An NDA is also one piece of a larger protection program, and it works best alongside the measures described in our guide on building a trade secret protection program from scratch. Think of what follows not as a form to fill in but as a way of thinking about a deal—because the difference between a good NDA and a bad one is almost never the length of the document. It is whether the person who wrote it understood what each clause was actually for.

What an NDA Can and Cannot Do

Before drafting, it helps to be honest about the tool's limits, because half of all bad NDAs come from asking the document to do something it cannot.

An NDA is a contract under which one or both parties agree to keep certain information confidential and to restrict its use, and a breach gives rise to ordinary contract remedies—damages and, in the right cases, injunctive relief. But an NDA does not create property rights in information. It does not stop the other side from independently developing the same thing, or learning it from somebody else, or reading it in a trade journal next month. It does not automatically transform information into a trade secret. And it does not, by itself, supply the powerful statutory remedies that trade secret law provides. What it does—and this is genuinely valuable—is create a contractual framework that supplements other protections and can also reach information that would never qualify for trade secret status at all: a product roadmap, a pricing strategy, a list of which customers are unhappy. Trade secret law protects only secrets that derive value from secrecy. An NDA can protect whatever the parties agree to protect, which is a much larger universe.

The relationship between NDAs and trade secret law is worth understanding, because it is symbiotic rather than redundant. Under the Defend Trade Secrets Act of 2016 (DTSA), 18 U.S.C. §§ 1836–1839, and the Uniform Trade Secrets Act adopted in every state but New York, information is a trade secret only if it derives independent economic value from not being generally known and the owner takes reasonable measures to keep it secret. An NDA is one of those reasonable measures—courts routinely cite the presence or absence of confidentiality agreements as evidence of whether an owner took adequate precautions. Judge Posner put the principle memorably in Rockwell Graphic Systems, Inc. v. DEV Industries, Inc., 925 F.2d 174 (7th Cir. 1991), reasoning that the more a company spends on secrecy precautions, the stronger the inference that the information has real value worth misappropriating, and that "perfect security is not optimum security"—the law asks for reasonable measures, not paranoid ones. NDAs are squarely among the reasonable measures courts expect to find.

But the NDA does more than tick the reasonable-measures box. A good one defines the protected information clearly, fixes what uses are permitted, forecloses any later claim that the recipient did not know the information was confidential, and supplies contractual remedies that may survive even when a trade secret claim fails for some technical reason. The two regimes also cover different gaps: trade secret protection vanishes the instant a secret becomes public, but a contract claim for the breach that caused the disclosure can survive that loss. For Lumen, the NDA is therefore both a shield for the algorithm and a brick in the evidentiary wall proving the algorithm is a protectable trade secret in the first place. The interplay runs throughout our companion guides on the protection of trade secrets and legal protection of software, and it is the reason an NDA should never be drafted as if it stood alone.

Mutual or One-Way? Match the Document to the Flow

The first structural question is whether the NDA should be mutual—both sides disclose, both bear obligations—or one-way, where one side discloses and one side is bound. The answer should track the actual flow of information, not raw bargaining power, and getting this wrong is a surprisingly common first mistake.

A one-way (unilateral) NDA fits where information genuinely runs in a single direction: a company pitching investors, an employer giving a new hire access to trade secrets, a vendor demonstrating a product to a prospect. A mutual NDA fits where both sides will share—partnership talks, joint ventures, potential mergers, co-development—and it spares the parties from drafting two agreements while placing them under symmetric obligations, which tends to smooth negotiation by removing the "why am I taking on duties you aren't" objection before it starts. The choice has consequences beyond convenience. Courts assessing an NDA's reasonableness consider its structure; a one-way agreement that loads sweeping restrictions onto the receiving party with no reciprocal obligation can draw closer scrutiny, especially if the recipient argues it was a contract of adhesion, while a mutual NDA's built-in symmetry tends to look more balanced and earn more deferential treatment.

For Lumen and Crane, the right answer is a mutual NDA. Although Lumen is the party with the precious algorithm, Crane will also share confidential information about its product roadmap, manufacturing constraints, and integration architecture, and the symmetry will make the negotiation easier and the agreement more defensible. A practical caution cuts the other way, though: some practitioners reflexively default to mutual NDAs even when disclosure is overwhelmingly one-directional. That has merit when the flow is genuinely uncertain, but when one side truly has nothing confidential to share, forcing mutuality just manufactures confusion about what is actually being protected—and a recipient who is "also" a discloser on paper but never discloses anything has quietly acquired a set of rights it can use as leverage later. Draft the document the deal needs, not the document the form library happens to offer.

Defining Confidential Information: the Heart of the Agreement

No provision is more important, or more frequently botched, than the definition of confidential information, because it draws the boundary around everything the agreement protects. Too narrow, and valuable information sits outside the fence. Too broad, and the definition may be unenforceable, or may sweep in things the disclosing party never meant to restrict and would be embarrassed to defend in court. The definition is where most NDA failures are quietly born, months before anyone notices.

Two flawed approaches recur. The first defines confidential information with sweeping categorical language—"all information relating to the Disclosing Party's business, technology, products, or operations." It feels comprehensive, but it is vague to the point of being meaningless, and courts have sometimes refused to enforce such definitions as too indefinite for the recipient to know what it must protect. In Lasership, Inc. v. Watson, 79 Va. Cir. 205 (2009), a Virginia court declined to enforce confidentiality restrictions whose breadth left the obligated party unable to determine what was actually covered. A definition the recipient cannot operate is a definition a court may decline to enforce. The opposite error is pure enumeration—"Confidential Information means source code, customer lists, pricing, and marketing plans"—which is admirably clear but risks leaving anything unlisted outside protection. That is a real and recurring danger in technology deals, where the precise information to be shared is rarely known in full at the outset and the most valuable disclosure often turns out to be something nobody thought to list.

The best practice combines both approaches, anchored by a marking mechanism. A strong definition covers three layers: (1) information marked confidential when disclosed in tangible form; (2) information disclosed orally or visually that is identified as confidential at the time and confirmed in writing within a set window—commonly thirty days; and (3) information that, by its nature or the circumstances of disclosure, a reasonable person would understand to be confidential. It then adds, without limiting the foregoing, a list of the categories that matter to this specific deal. That structure gives the recipient a clear way to identify protected information, a sensible process for capturing oral disclosures, a reasonable-person safety net for sensitive material disclosed without formal marking, and concrete examples that clarify intent without capping protection. For Lumen, the enumerated categories should expressly include source code and object code, algorithms and processing methods, model architectures and training data, APIs and interface specifications, database schemas, security architectures, product roadmaps, and performance and benchmark data—the specific things Lumen will be showing Crane—so that no one can argue two years from now that the algorithm somehow fell outside a definition that mentioned everything except the thing the whole deal was about.

One more subtlety belongs here: the definition should make clear that confidential information includes not just what the disclosing party hands over but also notes, analyses, compilations, and derivatives the recipient creates from it. Otherwise a clever recipient can argue that the spreadsheet it built from Lumen's raw performance data is its own work product, free of the NDA's restrictions—turning the recipient's summary of your secret into a loophole around protecting the secret.

Non-Disclosure Versus Non-Use: Two Promises, Not One

Here is a distinction that sinks more technology NDAs than any drafting error of grammar: the difference between a promise not to disclose information and a promise not to use it. They are not the same obligation, and an agreement that contains only the first leaves a hole big enough to drive the entire deal through.

A pure non-disclosure covenant says the recipient will not reveal your confidential information to third parties. Read it literally, and a recipient who never tells a soul but quietly builds a competing product using everything it learned has not breached at all. It disclosed nothing. It simply used the information—internally, silently, and to your enormous detriment. This is precisely the gap a non-use covenant closes. As the drafting commentary on the leading mutual-confidentiality forms emphasizes, a provision that restricts only disclosure may permit the recipient to exploit the information internally to gain a competitive advantage without ever revealing it to anyone, which is often the very harm the disclosing party most fears. The fix is a separate, explicit covenant that the recipient will use the confidential information solely for the defined Purpose "and for no other purpose"—paired, in technology deals, with an express prohibition on using the information to reverse engineer, design around, or replicate the disclosing party's products.

For Lumen, the non-use covenant is arguably more important than the non-disclosure covenant. Lumen's nightmare is not that Crane will publish the algorithm on the internet; it is that Crane's own engineers will absorb it and build Crane's own object-grasping feature. Only a robust non-use covenant reaches that conduct. The two promises work as a pair—one guards the perimeter against leaks outward, the other guards against the recipient mining the information for its own internal gain—and an NDA that contains one but not the other is only half an NDA. Whenever you review a confidentiality agreement, the first question to ask is: does this restrict use, or only disclosure? If only disclosure, it is weaker than it looks.

The Standard Exclusions: What the Agreement Does Not Protect

Every well-drafted NDA carves out categories that are not confidential information regardless of marking, and these exclusions are not throwaway formalities or recipient-friendly concessions—they reflect legal realities courts expect to see, and an NDA that omits them can look overreaching enough to jeopardize the whole agreement. Four exclusions are essentially universal, and each addresses a distinct principle that the law would likely impose even if the contract were silent.

First, information that was public at the time of disclosure or later becomes public through no fault of the recipient. No one can monopolize what the world already knows; an NDA purporting to lock up public information is not just unenforceable as to that information, it is a warning sign about the drafter's judgment. Second, information the recipient already knew, shown by its written records. The recipient should not be restricted in using what it brought to the table. Third, information the recipient independently develops without using the disclosed information. A company's own R&D must be preserved, or no sophisticated party could ever sign. Fourth, information rightfully received from a third party without restriction. The disclosing party cannot control information others are lawfully free to share.

The independent-development exclusion deserves special care in technology deals, because companies routinely work on the same problems and the recipient may be building in exactly the discloser's space. Without a clear independent-development carve-out, Crane would face a claim that any subsequent robotics work in Lumen's area misappropriated what it learned during the talks—an in terrorem threat that could chill the very partnership the NDA was meant to enable. But proving independent development after exposure is famously hard, which is why serious companies sometimes use "clean room" procedures: a development team walled off from the confidential disclosures, building from public sources only, with contemporaneous documentation of what it knew and when. The NDA cannot create that record, but the exclusion preserves the legal option for parties disciplined enough to build the procedures. One firm drafting warning: some aggressive disclosing parties try to delete or shrink the standard exclusions, hoping to capture more. A receiving party should resist this firmly—not merely as a matter of self-interest, but because an NDA purporting to protect public information or to restrain the recipient's use of what it already possessed overreaches in ways that can poison its enforceability across the board. The standard exclusions are good for both sides, which is exactly why they are standard.

Permitted Uses and Permitted Disclosures

If the definition fixes what is protected and the non-use covenant fixes that it may not be exploited generally, the permitted-use and permitted-disclosure provisions fix the narrow channels through which the information may legitimately flow.

The purpose limitation is the workhorse: the recipient may use the confidential information solely for a stated Purpose. Everything depends on scoping that Purpose to what the parties actually intend—broad enough to permit the real work, narrow enough to forbid everything else. "Evaluating a potential strategic relationship" suits early exploratory talks; something more specific suits deeper technical engagement. For Lumen and Crane, the Purpose might be "evaluating and, if the parties proceed, implementing a technical integration of Lumen's perception technology into Crane's products"—broad enough to let Crane's engineers actually study the algorithm well enough to assess fit, narrow enough that using it to accelerate Crane's own competing development falls plainly outside. A Purpose clause that is too vague is nearly as bad as no Purpose clause at all, because "use" is meaningless without a yardstick.

Absolute non-disclosure, meanwhile, is impractical: the recipient must share the information with the people who need it to do the work. The standard solution is a "need to know" provision allowing disclosure to those employees, contractors, and professional advisors who (a) need the information for the Purpose, (b) are informed of its confidential nature, and (c) are bound by confidentiality obligations at least as protective as the NDA's. This builds a chain of protection that follows the information downstream while making the recipient contractually responsible for any breach by its representatives—so Crane cannot escape liability by pointing at a leaky subcontractor. In technology deals the disclosure provisions often need bespoke refinement: if Crane intends to bring in a specific implementation subcontractor or a cloud-hosting vendor, that party should either be named as a permitted recipient or be subject to Lumen's consent, not to be unreasonably withheld. Ambiguity about third-party disclosure is one of the single most common sources of NDA disputes, because it is precisely where information escapes the people who negotiated the deal and reaches people who never read it.

Marking: Where Good Intentions Unravel

The marking mechanism deserves a closer look, because it is where careful drafting most often collides with messy reality. A definition that protects only information "marked as Confidential" is clean and gives the recipient real certainty about what it must guard—but it protects only what actually gets marked, and in the rush of a live deal, marking is exactly what busy people forget.

Picture a Lumen engineer on a video call walking Crane's team through the algorithm's architecture on a shared screen, answering questions in real time, sketching the data flow on a virtual whiteboard, talking through the failure modes the team spent two years solving. None of that is "marked." There is no stamp on a whiteboard. If the NDA protects only marked information, the single most valuable disclosure of the entire engagement—the live, unguarded explanation of how the algorithm actually works—may fall outside the agreement entirely. The crown jewels walked out the door with no fence around them, and nobody noticed because everybody was busy being helpful.

This is why the layered definition matters so much, and why the oral-disclosure mechanism cannot be an afterthought. A well-drafted NDA captures oral and visual disclosures identified as confidential at the time and confirmed in writing within a set window, and it backstops both with the reasonable-person catchall for sensitive material disclosed without any formal marking at all. But these mechanisms only work if a human being actually uses them. The discipline that makes a marking regime real is organizational, not textual: the disclosing party should designate who is responsible for sending the post-meeting confirmation, build a simple template for it, and treat the thirty-day confirmation window as a hard deadline rather than a fond hope. For Lumen, the safest course pairs the layered definition with a habit—after every substantive technical session with Crane, someone sends a short email confirming, in general terms, that the matters discussed were confidential. That email is not bureaucratic box-checking. It is the document that, two years later in a deposition, proves the live whiteboard session was protected when Crane's lawyer insists it was just a friendly chat about robotics.

The recipient has the opposite and equally legitimate interest: Crane wants to know precisely what it must protect, which is why receiving parties favor strict marking requirements and resist sprawling "reasonable person" catchalls that leave their engineers guessing whether yesterday's coffee-break comment is now a contractual landmine. The negotiated balance—marking as the default, prompt written confirmation for the inevitable verbal disclosures, and a bounded reasonable-person backstop—serves both sides honestly. But it only works if the disclosing party actually operates the machinery it bargained for. The most elegant marking clause in the world is worthless to a company that never sends the confirmation email.

Term and Survival: How Long Protection Actually Lasts

Every NDA should specify two distinct periods, and conflating them is a classic drafting error. The term is the period during which information may be disclosed under the agreement. The survival period is the period during which the confidentiality and non-use obligations continue after the term ends—and the survival period is where the protection actually lives.

A common structure pairs a modest term—often one to three years, with either party able to terminate earlier on written notice—with a longer survival period for the confidentiality obligations. The right survival period depends entirely on the information. For ordinary commercial confidential information, a fixed period of three to five years is typical and sensible: information about this year's pricing or last quarter's roadmap simply stops mattering. But trade secrets are different, and they demand different treatment. A trade secret stays valuable for exactly as long as it stays secret, which may be forever. An arbitrary three-year cutoff on trade secret obligations does not just under-protect the secret; it can actively undermine its trade secret status, because a company that contractually agreed its own secret could be freely used after three years has handed every future defendant an argument that the company itself did not treat the information as a perpetual secret.

The balanced approach that sophisticated technology NDAs adopt is therefore a hybrid: a fixed survival period for ordinary confidential information plus a provision that obligations as to any information qualifying as a trade secret continue for as long as it remains a trade secret. The well-drafted clause says the obligations expire after the stated number of years, "provided that with respect to Confidential Information that constitutes a trade secret under applicable law, such rights and obligations will survive that expiration until, if ever, the information loses its trade secret protection other than through an act or omission of the Recipient." That single proviso gives certainty for the bulk of the information while preserving maximum, potentially perpetual protection for the discloser's most valuable secrets—exactly what Lumen wants for an algorithm it intends to keep secret indefinitely. For the broader strategy of keeping trade secrets perpetually protected, see our guide on building a trade secret protection program from scratch.

Perpetual obligations carry one enforceability caveat worth respecting: some courts view indefinite contractual restrictions with suspicion and scrutinize them more closely than time-limited ones, particularly where the "confidential information" is really ordinary know-how dressed up as a secret. The cure is precision. An indefinite obligation tied specifically to genuine trade secrets—information that derives value from secrecy and is in fact kept secret—is generally enforceable, because the indefinite restriction is justified by the indefinite interest. A blanket "you may never use anything you learned, forever" clause is the kind of overreach courts trim. Draft for the secret you actually have, not the secret you wish you had.

A final, subtle choice lurks in the survival clause: does the clock run from the date of each disclosure, or from the termination of the agreement? Running it from each disclosure is administratively complex—every document expires on its own anniversary—but arguably fairer to the recipient. Running it from termination gives everything a single, simple expiration date but can leave a disclosure made the day before termination with far less protection than the parties intended. Most agreements run survival from termination for simplicity; if a late disclosure is especially sensitive, mark it as a trade secret and let the trade secret proviso carry it.

The DTSA Whistleblower-Immunity Notice: the Clause Everyone Forgets

Here is the provision that almost no recycled NDA contains and that can quietly cost a company millions—and it is the single most valuable thing this guide can add to your form.

When Congress passed the Defend Trade Secrets Act in 2016, it included a whistleblower-protection provision, 18 U.S.C. § 1833(b), that grants individuals immunity from trade secret liability for disclosing a trade secret in confidence to a government official or attorney solely to report or investigate a suspected violation of law, or in a sealed court filing. So far, so reasonable. But Congress did something clever to give the immunity teeth: it required employers to notify employees and contractors of that immunity "in any contract or agreement with an employee that governs the use of a trade secret or other confidential information," 18 U.S.C. § 1833(b)(3)(A). And it attached a sharp penalty for skipping the notice.

Under § 1833(b)(3)(C), an employer that fails to include the required immunity notice in a covered agreement may not recover exemplary (double) damages or attorneys' fees under the DTSA against an employee or contractor who was bound by that agreement—even where the misappropriation was willful and malicious and the employer would otherwise plainly be entitled to them under 18 U.S.C. § 1836(b)(3)(C)–(D). Read that again, because the consequence is severe and easy to miss: omit a short, costless paragraph from your NDA, and you forfeit two of the DTSA's most powerful remedies against the very people most likely to steal from you. The notice does not protect the wrongdoer's underlying misconduct; it simply zeroes out the enhanced-damages and fee-shifting upside that makes DTSA litigation worth bringing against an individual.

The practical implications are concrete and immediate. An NDA "governs the use of a trade secret or other confidential information"—that is the entire point of an NDA—so the notice requirement reaches confidentiality agreements squarely, and it reaches contractors and consultants as well as W-2 employees, because the statute's definition of "employee" includes individuals performing work as contractors or consultants. For Lumen, this matters in two directions at once. When Lumen's NDA with Crane binds Crane's individual engineers and contractors who will see the algorithm, the notice should be present so that Lumen preserves its full DTSA remedies against any individual who walks off with the secret. And in Lumen's own internal agreements—the employee and contractor confidentiality and invention-assignment agreements that bind its workforce—the notice is non-negotiable, because those are the agreements most likely to be tested when an engineer departs for a competitor. The compliant approach is to either set out the § 1833(b) immunity language directly in the agreement or expressly cross-reference a separate policy document that contains it, and standard "Notice of Immunity Under the DTSA" clauses exist precisely for this purpose.

The reason this clause is so often missing is also the reason it is so dangerous: it confers no benefit the parties feel during the negotiation, costs nothing to include, and produces consequences only years later when litigation is already underway and it is far too late to add. It is the legal equivalent of a smoke detector—invisible until the night it is the only thing that matters. Add it to every confidentiality and invention-assignment agreement that binds an individual, full stop. We treat the same requirement in detail in our guide on employee invention assignment agreements, and the broader DTSA remedial scheme it unlocks in our guide on the protection of trade secrets.

Compelled Disclosure, Return of Materials, and Remedies

Three further provisions turn a tidy agreement into a usable one, and each addresses a moment the parties hope will never come but must prepare for.

Compelled disclosure addresses the reality that a subpoena, regulatory demand, or court order may force the recipient to disclose confidential information whether anyone likes it or not. An NDA cannot override valid legal process—no contract can—but it can channel the recipient's response. A good clause requires the recipient to give the discloser prompt notice (where legally permitted) so the discloser can seek a protective order, to cooperate at the discloser's expense in resisting or narrowing the demand, to disclose only the minimum the process actually requires, and to seek confidential treatment for whatever must be produced. Critically, it should also clarify that a compliant compelled disclosure is not a breach. This framework protects both sides at once: the discloser gets notice and a fighting chance to assert protections; the recipient gets clear marching orders and the assurance that obeying a court will not somehow create liability to its counterparty.

Return or destruction of materials addresses the end of the relationship. On request or termination, the recipient must return or destroy all materials containing confidential information and certify—by an officer—that it has done so. The certification is not ceremony; it forces a named human being to actually verify compliance rather than assume it. Modern drafting must accommodate digital reality, because true deletion across email archives, version-control history, automated backups, and cloud systems is often impractical and sometimes conflicts with the recipient's own legal retention obligations. The sensible solution permits retention of copies required by law or generated by routine automated backup, provided they remain subject to the confidentiality and non-use obligations for as long as they are retained. That proviso is essential: without it, a recipient could argue that information accidentally surviving in a backup tape has somehow shed its restrictions merely because the relationship ended—turning a backup system into a laundering machine for secrets.

Remedies are what make every other provision more than aspiration, and in confidentiality disputes the most important remedy by far is injunctive relief. The reason is structural: money damages for a confidentiality breach are notoriously hard to prove and almost always inadequate to stop ongoing harm. Once Lumen's algorithm is out, no damages award puts it back in the box—the secret is gone, the competitive advantage is gone, and a check cannot un-ring the bell. NDAs facilitate injunctive relief through contractual acknowledgments: that a breach may cause irreparable harm for which damages are inadequate, that the non-breaching party may seek equitable relief without first proving actual monetary damages, and (often) without posting a bond. These acknowledgments do not bind courts, which retain full discretion over equitable remedies, and a court will not enjoin on the say-so of a contract recital alone. But they are far from worthless: they establish the parties' shared understanding, they speak directly to the very elements—irreparable harm, inadequacy of legal remedies—that a court must weigh under Federal Rule of Civil Procedure 65, and they remove easy arguments the breaching party would otherwise make. They are the difference between starting the injunction fight on the front foot and starting it flat-footed.

Two companion remedies round out the clause. A liquidated-damages provision can supply certainty where actual damages are genuinely hard to ascertain, but it must reflect a reasonable pre-estimate of probable harm rather than function as an in terrorem penalty, or a court will refuse to enforce it; the governing standard is the familiar one of Restatement (Second) of Contracts § 356, under which a liquidated sum unreasonably large in light of anticipated or actual loss is unenforceable as a penalty. And a cumulative-remedies clause preserves the discloser's ability to pursue trade secret, tort, and statutory claims alongside the contract claim, so that suing on the NDA does not inadvertently waive the DTSA seizure and exemplary-damages remedies the company worked so hard to preserve with its § 1833(b) notice. The remedies clause and the whistleblower-notice clause, in other words, are two halves of a single strategy: one makes the powerful statutory remedies available, the other makes sure the contract does not throw them away.

Governing Law, Jurisdiction, and Cross-Border Deals

Every NDA should specify governing law and dispute resolution, and these provisions—dismissed as boilerplate by people who have never watched them decide a case—can quietly determine the outcome before anyone reaches the merits.

Governing law selects which state's contract principles apply, and the states differ in ways that matter: on how confidentiality provisions are interpreted, on the enforceability of related restraints like non-competes and non-solicits, and on the remedies available. California, to take the sharpest example, is notoriously hostile to anything resembling a restraint on employee mobility, so a residuals or non-use provision that reads as a covert non-compete may fare very differently in California than in Delaware or New York. The chosen jurisdiction should bear a reasonable relationship to the transaction or a court may decline to honor the choice, and a "without regard to its conflict-of-laws principles" tag keeps the chosen forum from using its own choice-of-law rules to route the dispute back to some other state's substantive law—a small phrase that prevents a large headache.

Jurisdiction and venue clauses fix where disputes are litigated, frequently in the discloser's home forum, though receiving parties routinely push for a neutral or at least non-exclusive venue, and the balance again tracks leverage and the actual flow of risk. Arbitration is a serious alternative with real trade-offs. On the plus side: confidential proceedings—genuinely valuable when the dispute itself would expose the very secrets at issue, a recurring irony of trade secret litigation—plus speed and the option of technically expert arbitrators who can actually understand a perception algorithm. On the minus side: constrained discovery, sharply limited appellate review, and sometimes substantial cost. For technology deals with international dimensions, arbitration under established institutional rules (ICC, AAA, or JAMS) with a specified seat can dramatically ease cross-border enforcement under the New York Convention, which is the practical clincher: enforcing a U.S. court judgment abroad is often slow and uncertain, while enforcing an arbitral award under the Convention is comparatively reliable across more than 170 countries. When the recipient sits overseas and the secret could be exploited overseas, that enforcement asymmetry frequently tips the choice toward arbitration. We explore the broader machinery of cross-border dispute resolution in our guide on drafting software license agreements, which shares much of the same DNA.

The Technology Industry's Hard Problems

Beyond the standard framework, technology deals raise issues that generic NDAs handle poorly, and Lumen's deal implicates nearly all of them.

Residual Knowledge: the Thorniest Fight in the Room

Residual knowledge generates more negotiation friction than any other NDA issue, and for a reason that is both simple and unavoidable: people who receive confidential information inevitably retain some of it in their memories after the documents go back and formal access ends. A literal reading of an ironclad confidentiality obligation might bar those individuals from ever again working on related projects—an outcome that would make technology employment and consulting nearly impossible, because you cannot surgically forget what you have seen. Residual-knowledge clauses address this by permitting the recipient to use the general knowledge, skills, and experience its people retain in their unaided memories, even if learned partly from the disclosure—usually hedged with safeguards: "unaided memory" excludes anything reconstructed from notes or copies, "non-tangible form" excludes documents recreated from memory, and an "intentional memorization" carve-out stops a bad actor from deliberately committing secrets to memory to exploit the exception.

Disclosing parties view these clauses warily, and rightly so, because a broad residuals clause can swallow the entire NDA: if the recipient may freely use whatever its engineers "remember," then a confidentiality agreement covering know-how is reduced to a confidentiality agreement covering paper. Some disclosers refuse residuals clauses entirely for the most sensitive categories—cryptographic algorithms, security vulnerabilities, core processes. For Lumen, this is the crux of the whole negotiation. A residuals clause that lets Crane's engineers freely use what they "remember" of the perception algorithm could gut the protection, because the algorithm is exactly the kind of thing a skilled engineer can substantially reconstruct from memory after studying it. Lumen should therefore resist a broad residuals clause for the algorithm specifically, or insist on the tightest safeguards—while honestly recognizing that Crane has a legitimate interest in not freezing its engineers out of an entire technical field over a few weeks of evaluation. The tension connects directly to employee-mobility law and the contested inevitable-disclosure doctrine, which we examine alongside the collapse of the FTC's non-compete rule in our guide on non-compete agreements under siege.

It is worth watching how that negotiation might actually unfold, because the abstract clause becomes a concrete contest of interests. (The following exchange is a hypothetical illustration.) Crane's lawyers open by proposing a broad residuals clause: their engineers, they argue, work across many robotics projects, and Crane cannot have its people legally barred from the entire field of machine perception just because they spent three weeks evaluating Lumen's technology. The position has genuine force—an engineer cannot un-see an architecture, and an unrealistic restriction may be both impractical and, in a place like California, unenforceable as a restraint on trade. Lumen's lawyers counter that the algorithm is the company, and a residuals clause broad enough to let Crane's engineers rebuild it from memory would convert the NDA from a shield into a free license.

The middle ground usually has several moving parts, and skilled drafters assemble them deliberately. Lumen might accept a residuals clause for general knowledge, skills, and experience while expressly excluding the specific algorithm, its parameters, its training methodology, and its source code from the residuals carve-out—so Crane's engineers remain free to work in perception broadly but cannot use the particular thing they were shown. Lumen might also control who sees the most sensitive material in the first place, insisting that the actual source code be reviewed only by a small, named team that Crane agrees to wall off from its competing development efforts—which simultaneously narrows the residuals exposure and creates a cleaner record of independent development if Crane later ships something similar. And Lumen might pair the narrow residuals clause with a robust non-use covenant and the trade-secret-survival proviso discussed above, so that even "remembered" information that crosses into the algorithm itself remains actionable. The lesson is that residual knowledge is never an all-or-nothing fight. The skilled drafter narrows the category, controls the exposure, and reserves the crown jewels—giving each side most of what it actually needs while protecting the one thing that cannot be given away.

Reverse Engineering, Security, IP, and Open Source

Reverse-engineering restrictions prevent the recipient from dissecting disclosed products to extract confidential information, and they are generally enforceable against parties who voluntarily agree to them. The Federal Circuit confirmed in Bowers v. Baystate Technologies, Inc., 320 F.3d 1317 (Fed. Cir. 2003), that a contractual prohibition on reverse engineering is enforceable and is not preempted by federal copyright law—parties may bargain away a freedom that copyright law would otherwise permit. But the restriction must be drafted with a legal qualifier, because some jurisdictions grant statutory rights to decompile software for interoperability that cannot be overridden by private contract—the European Union's Software Directive is the standard example. The careful clause therefore bars reverse engineering, decompilation, and disassembly "except to the extent such restriction is prohibited by applicable law," preserving the prohibition everywhere it can validly run while avoiding the unenforceability that an absolute ban would invite in interoperability-protective jurisdictions.

Security requirements are warranted when especially sensitive information changes hands, obligating the recipient to protect the information with safeguards no less rigorous than those it uses for its own comparable information and, in any event, no less than reasonable industry standards. This matters more than ever now that confidential information lives in cloud systems and on the laptops of remote workers; the special exposures of distributed work are the subject of our guide on trade secrets in the age of remote work and cloud computing, and the breach scenarios that can vaporize a secret overnight in our guide on cybersecurity incident response and IP protection. IP-ownership provisions make explicit that disclosure transfers no intellectual-property rights and grants no implied license—a point that becomes load-bearing when the NDA precedes a deal that will involve actual licensing, so that no one can later claim the evaluation phase silently conferred rights. And an open-source provision can head off a genuinely catastrophic risk: that confidential code incorporated into an open-source project could become subject to copyleft terms requiring public disclosure of the surrounding code. We unpack that hazard in our guide on open-source licensing landmines in enterprise software development; in the NDA, the cure is a clause requiring the disclosing party's consent and defined protective measures before any confidential code is combined with open-source software.

Assembling the Pieces: a Note on the Sample Agreement

A well-drafted mutual NDA assembles all of these provisions into a coherent whole, and seeing the architecture laid out makes clear that nothing in it is decorative. The agreement opens with a preamble identifying the parties and establishing mutuality, and a purpose clause that frames the relationship and defines the "Purpose" that anchors the use restrictions. It defines confidential information through the layered approach—marking, written confirmation for oral disclosures, the reasonable-person catchall, and an enumerated, non-exclusive list keyed to the deal—and then states the standard exclusions with their documentation requirements. It imposes both non-disclosure and non-use covenants tied to the Purpose, with a need-to-know exception and the recipient's responsibility for its representatives. It includes the DTSA whistleblower-immunity notice. It addresses compelled disclosure, return and destruction (accommodating digital realities), and the absence of any granted IP rights. It sets term and survival with extended, potentially perpetual protection for trade secrets. It supplies a remedies clause built to facilitate injunctive relief and to preserve cumulative remedies. It fixes governing law, jurisdiction, and dispute resolution. And it closes with the usual general provisions—entire agreement, amendment in writing, no waiver, severability, assignment, counterparts—that keep the rest from quietly unraveling.

The single best drafting habit is to annotate each provision in the parties' own working drafts, so that everyone understands not just what a clause says but why it is there. An NDA whose drafters understand the purpose of each clause is an NDA that will be negotiated sensibly and will hold up when tested; an NDA assembled by copy-and-paste is the boilerplate-recycling trap this guide opened by criticizing—a document that looks protective and is not. There is no one-size-fits-all NDA, because the right language always depends on the parties, the information, and the relationship. The form is a starting point, never a finish line.

When the NDA Is Breached: the Litigation Reality

Drafting an NDA well is ultimately a bet about what happens if it is breached, so it is worth following the breach through to litigation, because the realities of enforcement are precisely what explain why the provisions above are drafted as they are.

Suppose that, months after the talks fizzle, Lumen sees a Crane product demonstration featuring object-grasping behavior that looks uncannily like its own, and suspects Crane used the perception algorithm even though the integration deal never closed. What can Lumen actually do? The first move is almost always a motion for a temporary restraining order and a preliminary injunction, because the central harm—ongoing use of the algorithm—cannot be undone with money. This is where the remedies provisions earn their keep: the contractual acknowledgment of irreparable harm and the no-bond language help Lumen clear the Rule 65 hurdles quickly, and the precise definition of confidential information lets Lumen point a judge to exactly what was protected rather than waving at a vague cloud of "our technology."

But the injunction fight also exposes the limits of contract, and every defense Crane raises maps directly onto a clause we have already discussed. Lumen must show not merely that Crane has something similar but that Crane used Lumen's confidential information to build it—and Crane will respond with exactly the defenses the NDA's own structure invites. It developed the feature independently (which is why the independent-development exclusion and any clean-room record matter so much). The relevant techniques were publicly known (which is why the public-information exclusion exists and why Lumen's enumerated definition and marking discipline matter). Whatever its engineers retained was permissible residual knowledge (which is why the residuals clause's precise wording becomes the entire battleground). The case Lumen can bring is only ever as strong as the agreement it drafted and the records it kept. The litigation does not create the protection; it merely cashes in the protection that careful drafting banked months earlier.

Damages, if the case survives past the injunction, are notoriously hard in confidentiality disputes, which is the practical reason injunctive relief is the main event rather than a sideshow. Proving the dollar value of a leaked algorithm—lost sales that cannot be cleanly traced to the breach, a competitive advantage diminished by some unquantifiable degree—is exactly the difficulty that liquidated-damages clauses try to sidestep and that the irreparable-harm acknowledgment anticipates. And running underneath the entire contract case is the trade secret claim the NDA was partly built to support. Because Lumen used an NDA, marked its materials, restricted access to a need-to-know group, and limited disclosure, it can plausibly argue the algorithm is a protectable trade secret and invoke the DTSA's powerful remedies—including, in an extreme case, ex parte seizure under 18 U.S.C. § 1836(b)(2) and exemplary damages and attorneys' fees under § 1836(b)(3)—provided it preserved those remedies with the cumulative-remedies clause and, crucially, did not forfeit the enhanced damages by omitting the § 1833(b) immunity notice from the agreements binding the individuals involved. The breach scenario, in short, validates the entire drafting philosophy of this guide: every provision that felt like fussy detail during the negotiation—the precise definition, the documented exclusions, the marking discipline, the narrow residuals clause, the whistleblower notice, the irreparable-harm language, the cumulative-remedies preservation—turns out to be the thing that decides whether Lumen can stop Crane or can only watch its competitive advantage walk out the door. We trace the litigation machinery in more depth in our guide on the protection of trade secrets.

Who Wants What: the Predictable Negotiation

NDA negotiations circle a predictable set of provisions, and knowing the typical positions lets both sides prepare instead of improvise. Disclosing parties generally push for broader definitions, longer or perpetual survival, stronger remedies, and home-forum jurisdiction, while resisting residual-knowledge clauses, narrow exclusions, and any limit on the scope of confidentiality. Receiving parties generally push for clear marking requirements, narrower and more determinate definitions, reasonable survival periods, residual-knowledge provisions, and neutral jurisdiction, while resisting perpetual obligations, sweeping definitions that might inadvertently capture their own pre-existing information, and provisions that could chill employee mobility. The dynamic turns on relative leverage and on how badly each side wants the deal—a startup courting a powerful partner may have little room to maneuver, while two equals exploring a partnership negotiate as peers.

But regardless of leverage, certain points should never be compromised by either side. Both should insist on the standard exclusions, because an NDA purporting to protect public information is bad for everyone and corrodes enforceability. Both benefit from definitions clear enough to permit actual compliance, because an obligation no one can operate is an obligation no court will enforce. Both should ensure the agreement honestly reflects the real information flow and the nature of the relationship, because a document that misdescribes the deal is a document that will surprise its drafters in litigation. For Lumen, the non-negotiables are tight protection for the algorithm, a narrow or heavily safeguarded residuals clause, meaningful injunctive-relief language, and the § 1833(b) notice; for Crane, clear marking requirements, a workable residuals provision so its engineers are not frozen out of robotics generally, and certainty about exactly what it must protect. A good negotiation is not a war over every clause—it is a disciplined sorting of the provisions that are genuinely load-bearing from the ones that are merely conventional.

The NDA in a Web of Agreements

An NDA rarely stands alone, and understanding where it sits among a company's other contracts prevents both gaps and contradictions. Lumen's perception algorithm is protected not by one document but by a layered set of agreements that must work together, and a single weak link can unravel the whole.

The employment and invention-assignment agreements that Lumen's own engineers signed are what establish that the algorithm belongs to Lumen at all and that its own people owe confidentiality duties—the bedrock on which every external NDA rests, because Lumen cannot meaningfully promise Crane to protect something its own staff are legally free to walk away with. (Those agreements are also where the DTSA § 1833(b) notice does its most important work, as we explain in our guide on employee invention assignment agreements.) The NDA with Crane governs the specific external disclosure. If the integration proceeds, a definitive commercial agreement—a license or co-development agreement—will supersede the NDA's preliminary framework with detailed, transaction-specific confidentiality, IP, and use provisions; the terms that follow are the subject of our guide on drafting software license agreements. And Lumen's agreements with its own vendors, contractors, and cloud providers must contain confidentiality terms at least as protective as what it promises Crane, so the chain of protection does not snap at its weakest link.

Two practical lessons follow. First, these agreements must be consistent. If Lumen's NDA with Crane promises perpetual trade-secret protection but Lumen's contracts with its own subcontractors impose only a two-year confidentiality term, Lumen has manufactured exactly the kind of gap a court will seize on when assessing whether Lumen took "reasonable measures" to protect its secret. A company is only as careful as its sloppiest contract. Second, the agreements should be sequenced to the relationship's stage—a lightweight mutual NDA for the first exploratory meetings, a more comprehensive agreement for deep technical engagement, and a definitive contract with robust confidentiality and IP provisions for the ultimate deal—so that the level of protection scales with the depth of disclosure rather than lurching from nothing to everything. Companies serious about confidentiality build NDA execution directly into their information-sharing workflow: before anything confidential goes out the door—to a prospective partner, an investor, a customer, or a vendor—the right agreement is already in place and already signed. The NDA, in this view, is not a standalone safeguard but the contractual connective tissue that makes a company's technical, administrative, and legal protections reinforce one another instead of leaving seams an adversary can exploit.

Frequently Asked Questions

Is an NDA the same thing as a trade secret protection program? No, and treating them as interchangeable is a common and costly error. An NDA is one contractual measure within a broader program that also includes physical and technical security, access controls, employee training, marking practices, and exit procedures. The NDA is evidence that you took reasonable measures, but a company that signs NDAs and then leaves its source code on an unsecured shared drive has not taken reasonable measures and may lose trade secret status anyway. See building a trade secret protection program from scratch.

Does an NDA protect information forever? Only if it is drafted to. Most NDAs impose a fixed survival period—often three to five years—that is appropriate for ordinary commercial information but fatal for genuine secrets. To protect a trade secret indefinitely, the agreement needs an explicit proviso that obligations as to trade secrets continue for as long as the information remains a trade secret. Without it, your NDA may quietly authorize the free use of your crown jewels on a date you forgot you agreed to.

What is the single most overlooked clause in technology NDAs? The DTSA whistleblower-immunity notice required by 18 U.S.C. § 1833(b). Omitting it from agreements that bind individuals forfeits the right to recover exemplary (double) damages and attorneys' fees under the DTSA against those individuals, even for willful and malicious misappropriation. It costs nothing to include and is almost never in recycled forms—add it to every confidentiality and invention-assignment agreement that binds an employee or contractor.

What is the difference between a non-disclosure and a non-use obligation, and do I need both? Yes, you need both. Non-disclosure stops the recipient from telling others; non-use stops the recipient from exploiting the information internally for its own benefit. An NDA with only a non-disclosure covenant lets a recipient quietly build a competing product from what it learned, without ever disclosing anything—which is usually the exact harm the disclosing party most fears.

Can we contractually prohibit reverse engineering? Generally yes, as confirmed in Bowers v. Baystate Technologies, Inc., 320 F.3d 1317 (Fed. Cir. 2003)—a voluntary contractual ban on reverse engineering is enforceable and not preempted by copyright law. But some jurisdictions grant non-waivable statutory rights to decompile software for interoperability (notably the EU), so draft the prohibition to apply "except to the extent prohibited by applicable law."

Is a mutual NDA always better than a one-way NDA? No. Use the structure that matches the actual flow of information. Where disclosure runs genuinely in one direction, a unilateral NDA is clearer and avoids handing the recipient rights it has no real use for. Default to mutual only when both sides will truly share confidential information or when the flow is genuinely uncertain at the outset.

Will signing an NDA guarantee I can get an injunction if it is breached? No. Contractual recitals of irreparable harm and waivers of bond help, and they speak to the very factors a court weighs under Rule 65, but courts retain discretion over equitable relief and will not enjoin on a contract recital alone. The injunction still depends on the facts—and on whether your definition, exclusions, and marking discipline let you prove the recipient actually used your protected information.

Conclusion

A well-drafted NDA protects confidential information by clearly defining what is covered, fixing how it may and may not be used, specifying how long the protection lasts, handling the practical realities of compelled disclosure and the return of materials, preserving the statutory remedies that make enforcement worthwhile, and supplying contractual hooks—irreparable-harm acknowledgments, cumulative remedies, the § 1833(b) notice—that turn a breach into a winnable case. A poorly drafted one creates an illusion of protection that evaporates the moment it is tested. The difference between the two is not length, and it is not legalese. It is whether the drafter understood the purpose of each provision and adapted it to the actual deal in front of them.

For Lumen Robotics, getting the NDA right is not a formality to rush through on the way to the "real" negotiation—it is the negotiation that determines whether Lumen can have the conversation with Crane at all without giving away the company. In technology transactions, where the confidential information frequently represents years of work and the entirety of a company's competitive advantage, the hours invested in thoughtful drafting repay themselves many times over in protection, enforceability, and the preserved value of the very information that made the deal worth pursuing in the first place. The NDA that gets signed and forgotten is the one that fails. The NDA that gets understood is the one that holds.

For help drafting or negotiating an NDA for a technology transaction, contact our intellectual property and technology practice.

Selected Authorities

Defend Trade Secrets Act of 2016, 18 U.S.C. §§ 1836–1839 (including the whistleblower-immunity notice requirement, § 1833(b), and exemplary damages and attorneys' fees, § 1836(b)(3)(C)–(D)); Uniform Trade Secrets Act (adopted in 49 states); Restatement (Second) of Contracts § 356 (liquidated damages and penalties); Restatement (Third) of Unfair Competition §§ 39–45; Fed. R. Civ. P. 65 (injunctions). Rockwell Graphic Systems, Inc. v. DEV Industries, Inc., 925 F.2d 174 (7th Cir. 1991); Lasership, Inc. v. Watson, 79 Va. Cir. 205 (2009); Bowers v. Baystate Technologies, Inc., 320 F.3d 1317 (Fed. Cir. 2003).

This guide is for general informational purposes only and does not constitute legal advice, nor does it create an attorney-client relationship. Contract and trade secret law vary by jurisdiction and continue to evolve; the discussion here may not reflect the most recent developments, and the sample language described is illustrative rather than a substitute for counsel. Consult a qualified attorney to prepare or review an NDA for your specific transaction.