Everything you Need to Know About Non-Disclosure Agreements: A Detailed Guide for Reviewing Business-to-Business NDAs
Photo by Tim Mossholder on Unsplash
Author: Ty Leitow
Last Updated: July 15th, 2025
You don’t have to spend much time in the working-world before you run into a non-disclosure agreement (“NDA”). Most lawyers and paralegals become familiar with NDAs early in their careers. Professionals in almost every business department are eventually presented with an NDA. A small/medium sized business may see over 100 NDAs in a given year, and depending on the industry and market, a large company may process over 1,000 NDAs in a single year.
NDAs are essential to business.
If you’re reading this, it probably means you have questions related to NDAs. Maybe you need to review another company’s NDA. Maybe you’re updating your own company’s NDA. Maybe you’re developing NDA training for your team. If you said yes to any of these, you’ve landed in the right place.
This whitepaper answers the following questions:
What is an NDA?
What are the different types of NDAs?
What are the guiding principles for reviewing NDAs?
What are the Key Clauses in an NDA and what do they mean?
1. What is an NDA?
A non-disclosure agreement, or NDA, is a legal contract between two or more parties that protects confidential information from: (i) being disclosed to unauthorized third parties, and (ii) against unauthorized use.
NDAs may also be referred to as a Confidentiality Agreement (“CA”) or a Proprietary Information Agreement (“PIA”). As with all agreements and contracts, the name does not necessarily matter as much as its terms and conditions. An NDA can go by different names, but the key is that the agreement deals with the sharing and protecting of confidential information.
In a business setting, companies enter into NDAs to explore potential business relationships, to further existing business relationships, collaborate and partner on projects, and generally do business with each other.
NDAs allow businesses to share confidential information with each other by providing legal protection against unauthorized use and disclosure.
2. What are the different types of NDAs?
There are three basic types of NDAs in a B2B setting: (1) One-way NDA (also referred to as a Unilateral NDA), (2) Two-way NDA (also referred to as a Mutual NDA), and (3) Multi-Party NDA (often taking the form of a 3-way NDA)
One-Way NDA (Unilateral NDA)
Under a Unilateral NDA, only one party’s information is protected against unauthorized use and disclosure. These should only be used when it’s clearly understood that the flow of confidential information will be one-way.
For example, let’s say ABC Inc. and XYZ Corp. enter into a Unilateral NDA which states ABC Inc. is the disclosing party, and XYZ Corp. is the receiving party. Here, only ABC Inc’s information is protected. If XYZ Corp shares its confidential information with ABC, Inc., XYZ Corp would not be protected against unauthorized use or disclosure under the Unilateral NDA. ABC Inc. would not be contractually restricted from using or disclosing XYZ Corp’s confidential information.
Two-Way NDA (Mutual NDA)
Under a Mutual NDA, both parties’ information is protected against unauthorized use and disclosure by the other party. Generally, both parties may disclose their respective confidential information to the other party, and each party, as a receiving party, has an obligation to protect the information from unauthorized use and disclosure.
Mutual NDAs are common and often are the preferred type of NDA in B2B engagements.
Multi-Party NDA (Commonly in the form of a 3-way NDA)
Multi-Party NDAs are similar to Mutual NDAs, except there are more than 2 parties. 3-Way NDAs are the most common type of multi-party NDAs.
Like a Mutual NDA, each party may be a disclosing party (disclosing its own information to other parties) and a receiving party (receiving information from the other parties). Each party’s confidential information is contractually protected against unauthorized use and disclosure.
Practical Tip: Don’t Trust the Title of an NDA (or the title of any contract for that matter).
Just because an agreement says “Non-Disclosure Agreement”, “Mutual NDA”, or “3-way NDA”, does not mean it actually gives your company any protection. Always read the document and make sure the terms and conditions meet your business’s needs.
Trust but verify.
3. What are the guiding principles for reviewing NDAs?
Each company, legal department, and CEO will have different approaches to risk related to NDA review. As such, the following guiding principles may not map perfectly 1 to 1 to your company or legal department. However, over my career, the following principles have applied across a variety of situations, including large publicly traded companies, small-to-medium sized businesses, and start-ups, spanning a variety of industries, including manufacturing, technology, renewable energy, and finance.
NDAs need to be Good, but not Perfect.
Generally, unless the NDA involves intellectual property rights and licensing or highly confidential information, the NDA needs to be good, but not perfect. A vast majority of NDAs will involve normal business-to-business activities, such as sharing RFQs, quotes, commercialized product and service information, and onboarding new customers and vendors (I’ll refer to these types of purposes as “Normal Business Engagements” in this whitepaper). In these situations, usually a standard mutual NDA will be sufficient. When you review another company’s mutual NDA for these Normal Business Engagements, especially in the interest of time and efficiency, reviewers should try to avoid redlining minor issues of grammar, spelling, and syntax unless there is a material issue that creates unreasonable risk for your company.
Focus on the Basics.
For Normal Business Engagements, your primary goal in reviewing an NDA is to make sure it has the normal protections and provisions for a mutual NDA. Typically, you’ll want to avoid re-writing or adding clauses that are merely nice-to-haves.
Ask Questions.
Sometimes (possibly often depending on your organization), you’ll receive an NDA from a business unit with zero context. Some person from the sales team emails you an NDA and just says “Please review” or “Please approve”. In these situations, do not be afraid to ask for background information. It should be standard operating procedures for requests for NDA review to include basic background information, including the legal name of the other party, that party’s line of business, the purpose of the business relationship, and the purpose of the NDA.
For anyone in the legal team, whether you’re a paralegal or a lawyer, management should empower you to ask questions about any document a business unit has asked you to review. While some business professionals may see these questions as unwarranted, the good ones will understand that you need this type of background information to properly complete the review.
Protect and Restrict.
As you read, research, learn and review, don’t forget the basic reason for NDAs: to give your company a legally protected method of sharing and receiving confidential information.
Enable the Business.
Finally, also don’t forget the ultimate purpose of an NDA: to enable the business.
NDAs allow your company to work with customers, suppliers, vendors, consultants, government entities, etc. As a legal professional working in-house, or even a business professional taking on legal responsibilities, you always want to search for that middle-ground where the legal interests of the company are protected, but in a way that allows the business to adapt, engage and grow.
Legal risk will never be zero.
4. What are the Key Clauses in an NDA and what do they mean?
Here’s a List of Key NDA Clauses. Each will be covered in detail below.
Title and Type
Introduction
Purpose
Definition of Confidential Information
Restrictive Obligations of the Receiving Party
Common Exceptions
Term Length
Disposal of Information
No Warranty
No Transfer of Rights or License
Remedies and Liability
Governing Law
1. Title and Type
As an initial matter, it’s a good idea to determine what type of NDA you’re reviewing. The type of NDA must fit the business purpose for the exchange of confidential information.
Be careful not to assume anything based on the title of the NDA. A common pitfall of NDA review is being given a One-Way NDA from the other party when a Two-Way NDA is more appropriate.
Example One-Way NDA Language:
The “Disclosing Party” under this Agreement is ABC, Inc. and the “Receiving Party” is XYZ, Corp. Pursuant to the terms and conditions of this Agreement, Disclosing Party intends to disclose certain confidential and proprietary information to the Receiving Party for the purpose of evaluating a potential business relationship (the “Purpose).
Note that by definition, ABC, Inc. is the only disclosing party under the NDA, which means only ABC, Inc’s information would be protected under the NDA.
Example Two-Way NDA Language:
A “Disclosing Party” is a party who discloses its confidential information to the other party under this Agreement related to the Purpose.
A “Receiving Party” is a party who receives Disclosing Party’s confidential information pursuant to this Agreement.
Each party to this NDA may be a “Disclosing Party” or a “Receiving Party”.
2. Introduction
The first paragraph in most agreements, including NDAs, usually lists the parties. Having the correct legal name of each party to the NDA is important to making sure the NDA is a legally enforceable agreement. Generally, only a party to the NDA may enjoy the rights and protections the NDA grants for confidential information disclosed and received.
For legal professionals, NDAs are often provided with generic names or the common business names for the parties. To help minimize risk and confusion, NDAs (and all contracts), should have the correct legal name of the parties. Often this requires talking to your company’s business unit or business lead, and sometimes the other party, to obtain the proper legal name of the other party.
For large organizations with multiple affiliates, legal professionals also need to speak to the internal business units and leads to ensure your organization’s correct affiliate is the party to the NDA.
3. Purpose
NDAs should clearly state the Purpose of the NDA. Legal rights and protections under the NDA are usually limited to Confidential Information that is related to the Purpose.
The Purpose may be broad, e.g. “To evaluate a potential business relationship or to further an existing business relationship.”
The purpose may also be narrow, e.g. “To explore a possible joint venture related to autonomous driving vehicle technology.”
When reviewing an NDA, you want to be sure the stated Purpose matches the actual business engagement. For Normal Business Engagement NDAs, a broad purpose is preferred.
However, there are valid business and legal reasons to utilize a narrow Purpose. In these cases, the practical effect is that any information shared that is outside the scope of the stated Purpose would not be subject to the restrictions of the NDA, and may not have any legal protection.
Here’s an example of potential risk of an NDA with a narrow Purpose:
ABC, Inc. and XYZ Corp. enter into an NDA with the stated Purpose of: ‘To explore the purchase and sale of customized data privacy software.’
During discussions, an engineer with XYZ Corp shares confidential information about new customer relationship management (“CRM”) software XYZ Corp is developing.
Because this information about new CRM software is not related to customized data privacy software, and outside the scope of the stated Purpose, the information would not be protected under the NDA.
4. Definition of Confidential Information
All NDAs should have a specific definition of what “Confidential Information” is under the NDA. Generally, only information that is within the scope of the definition of Confidential Information is afforded legal protection against unauthorized use and disclosure.
Some definitions may be broad, listing off almost every type and form of information that could be disclosed.
Other definitions may be narrow, limiting “Confidential Information” to only certain types or information in certain formats. For example, in an NDA with a narrow definition, “Confidential Information” may only include written information that is marked as “confidential” or “proprietary”.
Generally, the underlying business purpose for the NDA should provide guidelines for how broad or narrow the definition of Confidential Information should be. For most Normal Business Engagements, a broad definition of Confidential Information is preferred.
Broad definitions help reduce the risk of information being shared that is not contractually protected under the NDA.
Some companies take an aggressive, or even an underhanded approach to NDAs, intentionally using narrow definitions to try and obtain confidential information that is outside the scope of the NDA’s definition of “Confidential Information”, which would allow the company to use that information without restriction.
Legal departments need to make sure the Business units and Business leads understand what information may, and may not, be shared under the NDA.
When meetings (virtual and in-person), or site-visits are anticipated, the definition of Confidential Information should also include verbal, visual, and/or any information obtained while on a party’s premises.
Here’s an example of a broad definition of Confidential Information:
“Confidential Information” means all non-public, confidential, proprietary, or trade secret information, in any form or medium, whether disclosed orally, visually, electronically, or in writing, that is disclosed or made available by or on behalf of the Disclosing Party to the Receiving Party, whether before or after the Effective Date, and that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances surrounding its disclosure. Confidential Information includes, without limitation: business plans, strategies, forecasts, and financial information; pricing, costs, and commercial terms; customer and supplier information; intellectual property, inventions, and know-how; product designs, specifications, and prototypes; software, source code, and technical documentation; internal reports, employee information, and training materials; and any third-party information that the Disclosing Party is obligated to keep confidential.
5. Restrictive Obligations of the Receiving Party
One of the primary reasons for an NDA is to minimize the risk of confidential information your company shares being misused or disclosed to unauthorized third parties.
Generally, a good NDA will place the following restrictions on the Receiving Party:
Non-Use. Prohibits the Receiving Party from using Confidential Information for any purpose except for the stated Purpose.
Non-Disclosure. Prohibits the Receiving Party from sharing Confidential Information with any third party.
Standard of Care. The level of care in safe-guarding Confidential Information should be described. Common examples include “reasonable care”, or “the same care as Receiving Party protects its own confidential information”.
Permitted Recipients. NDAs should identify who may access and use Confidential Information shared under the NDA. The following types of permitted recipients are often used: employees, managers, executives, officers, and affiliates. Additionally, it’s a good idea to condition such permitted recipients to only those individuals who have a “need to know” in furtherance of the stated Purpose.
6. Common Exceptions
NDAs should include certain exceptions to what information qualifies as “Confidential Information” under the agreement. Information that falls under an exception is not contractually protected under the NDA, and is generally free from any restrictions in the NDA.
The following are the most common and generally acceptable exceptions:
Information Previously Known. Information already known to the Receiving Party, prior to the disclosure by the Disclosing Party.
This and the other exceptions sometimes include an additional condition, that Receiving Party’s contemporaneous records verify or document the veracity of the exception. This condition is generally acceptable, and preferred if your company is sharing important or valuable confidential information.
Publicly Available Information. Information that is or becomes publicly available through no fault of the Receiving Party.
Lawfully Received from a Third-Party. Information that is rightfully received from a third-party without breach of any agreement or law.
Independently Developed Information. Information that is independently developed by Receiving Party without use or reference to Disclosing Party’s Confidential Information.
Law or Court or Governmental Order. Confidential Information disclosed pursuant to an order from a court or governmental order, or otherwise pursuant to law or regulation.
For companies in larger organizations, there may be an exception to the disclosure restrictions, permitting the sharing of Confidential Information with affiliates of one or both parties. As long as the following limitations are in place, disclosure to a party’s affiliates are generally acceptable:
The affiliates (and more specifically, the employees of the affiliates) are on a “need to know” basis related to the Purpose.
The affiliates are made aware of the terms and conditions of the NDA, and agree to be bound by confidentiality restrictions that are no less than those provided for in the NDA.
The affiliate is any company that directly or indirectly controls, is controlled by, or is under common control with a party to the NDA. Generally, “control” means the direct or indirect ownership of more than 50% of the voting securities or ownership interest in an entity, or the power to otherwise direct the management of the entity.
7. Term Length
Generally, there are two time periods that are important for NDAs.
The first is the term length of the NDA, which is sometimes referred to as the Disclosure Period. This is the time period when Confidential Information may be shared between the parties and have the protections described in the NDA. A common example would be an NDA that commences on the Effective Date provided in the introductory paragraph of the NDA, and ends 1 year thereafter (other generally acceptable time periods include terms of 2, 3, 4, and 5 years).
The second important time period is the Confidentiality Period. This is the time period that the Receiving Party must abide by the restrictive terms of the NDA. This time period generally should be at least 3 years, but can be as long as indefinite. A common example of indefinite language would say something like “The confidentiality and non-use restrictions provided for in this NDA shall continue for as long as Receiving Party possesses any Confidential Information disclosed to it by Disclosing Party.”
Some NDAs may apply retroactively. If the NDA has a retroactive term, it’s a good idea to check with the business unit and/or business lead to ensure this retroactive term is acceptable. An example of a retroactive term would say something like, “The Parties agree that the terms and conditions of this NDA shall apply retroactively to any Confidential Information disclosed between the parties, including without limitation any Confidential Information shared prior to the date of this NDA.”
The right to terminate the NDA early is an important term related to term length. Generally, a company wants to have the right to unilaterally terminate any agreement, including NDAs. Typically, a 30 days prior written notice condition is acceptable for early termination. But note, the Confidentiality Period, and confidentiality restrictions should survive any early termination of an NDA.
8. Disposal of Confidential Information
NDAs should describe what happens to the Disclosing Party’s Confidential Information upon expiration, termination, or request by Disclosing Party.
Generally, Confidential Information should be returned or destroyed, at Disclosing Party’s option, and in some NDAs, the return and/or destruction must be certified by an employee of Receiving Party.
Archival Exception. Generally, in the digital world we live in today, Receiving Parties want to see an exception to the return/destruction of Confidential Information requirement, that allows the retention of one copy of Confidential Information that is automatically stored pursuant to Receiving Party’s standard data-back up processes and not otherwise generally accessible to anyone outside of the IT department. This reflects the reality that most business IT infrastructures automatically saves backup copies of emails and files saved to internal servers, and it would be overly burdensome to require deletion or return of these back-up copies.
9. No Warranty
For most Normal Business Engagements, the Disclosing Party does not want to provide any warranty for any of the Confidential Information disclosed under the NDA.
A “as-is” or no warranty clause are common in NDAs, and usually should be added to any NDA that does not have one.
If any warranty is to be given under an NDA, there should be a compelling business reason for it, and the warranty should be narrowly tailored to the specific business reason.
10. No Transfer of Rights or License
Generally, NDAs should not transfer any ownership rights or grant any license to Confidential Information shared under the NDA.
NDAs should only give limited permission to the Receiving Party to use the Confidential Information for the stated Purpose, and only allow sharing of Confidential Information with individuals authorized under the NDA.
11. Remedies and Liability
NDAs should provide some guidance on what happens if a party violates the terms of the NDA.
Most NDAs give the Disclosing Party the right to pursue injunctive relief, without limiting any other monetary damages that may be awarded.
Some NDAs include a liquidated damages clause, which can be excessive. These are more common when dealing with highly or special confidential information, or when working with companies who have an aggressive approach to protecting its confidential information. For Normal Business Engagements, companies should try to avoid any liquidated damages clause.
12. Governing Law
The NDA should state the governing law, jurisdiction and venue.
Companies generally prefer to use the state law and courts of the state it resides in. This provides some leverage in the event of litigation. A company’s legal department is usually more familiar with the laws of the state it’s located in, and it can reduce travel and deposition costs, and other related legal expenses when the court and jurisdiction are within the same state as the company.
For US companies, commonly accepted neutral states are Delaware and New York. These states, generally speaking, are more business-friendly, and have efficient court systems for business-to-business litigation. On the other hand, California is a state to be particularly cautious of. Generally, compared to other states, California is more employee and consumer friendly, is viewed as more plaintiff-friendly, has some particularly unique laws like data privacy and employment law, and its courts have historically been more willing to admit extrinsic evidence in contract interpretation cases.
Overall, this is not a term that is usually negotiated too hard, but the Governing Law should make sense for both parties.
Non-Disclosure Agreements are an important part of daily business operations and risk management. NDAs provide legal protection and reduce risk when disclosing your company’s confidential information and using a third party’s confidential information. Having a thorough understanding of each legal term in an NDA is essential to minimizing legal risk related to confidential information.