Guide

How to Review an NDA Before You Sign

Non-disclosure agreements are the most common contract you'll be asked to sign in your professional life. Job interviews, vendor pitches, investor meetings, partnership conversations, beta product access — they all start with an NDA. Most NDAs are routine. Some are quietly aggressive in ways that can cost you years of your career.

This guide walks through the eight things to check before signing any NDA. It's written for freelancers, contractors, employees, and founders who get handed NDAs faster than they can read them. None of these are legal advice — for high-stakes NDAs (M&A, employment with equity, partnership terms) you should still have a lawyer review the document. For everything else, this checklist plus a careful read catches the issues that matter.

If you'd rather skip the reading, ClauseCheck analyzes NDAs in about two minutes and flags every concerning clause in plain English. Your first review is free — no signup required to view a sample report first.

Want to see what a contract review looks like?

View a real sample report instantly — no signup required.

View sample report

1. How "Confidential Information" is defined

The definition of Confidential Information is the whole NDA in one paragraph. Read it first, read it carefully, and read it skeptically. Broad definitions mean you're obligated to treat almost everything you see or hear as confidential — including things that probably shouldn't be.

What's normal: a definition that covers specific categories like business plans, financial data, customer lists, technical information, and unreleased product information, plus a catch-all for "information marked or identified as confidential."

What's a red flag: "any and all information, in any form, whether or not marked or identified as confidential, that Recipient learns or has access to in connection with the engagement." That sweeps in everything — including information you already knew, information that's publicly available, and information you'd reasonably remember in your career going forward.

What to negotiate: limit the definition to information that's either marked confidential, identified as confidential in writing within a reasonable window (30 days) of disclosure, or would obviously be confidential by its nature (financials, customer data, trade secrets).

2. Term length — how long the obligation lasts

How long must you keep this information confidential? The answer is buried in a single sentence somewhere in the agreement, and it ranges from 2 years to forever. Long terms aren't necessarily bad — but unlimited terms applied to ordinary business information are an overreach.

What's normal: 2-5 years for general business information. Perpetual obligations only for genuine trade secrets (things that derive value from being secret and that the disclosing party actively protects).

What's a red flag: "The obligations of confidentiality shall survive termination of this Agreement in perpetuity" applied to all confidential information — not just trade secrets. Also watch for term language that's missing entirely (defaults to "forever" in most jurisdictions).

What to negotiate: tier the obligation. General business information confidential for 2-5 years, trade secrets confidential for as long as they remain secret. If you're being asked to keep ordinary information secret forever, push back — that's not standard.

3. Permitted disclosures and carveouts

Even strict NDAs should carve out four categories of information from the confidentiality obligation. Missing carveouts turn a routine NDA into a trap.

Standard carveouts: information that is or becomes publicly known through no fault of the Recipient, information the Recipient knew before disclosure, information independently developed by the Recipient without reference to the disclosed information, and information legally required to be disclosed (e.g., by subpoena or court order).

What's a red flag: NDAs that omit one or more of these carveouts, or that include carveouts but burden them with impractical requirements ("Recipient must provide 30 days' written notice and a notarized affidavit before disclosing pursuant to a court order").

What to negotiate: add all four standard carveouts if any are missing. For the "legally required" carveout, the obligation should be to notify the Disclosing Party and cooperate with their attempts to obtain a protective order — not to refuse the subpoena and risk contempt.

4. Return-or-destroy obligations at the end

When the relationship ends, what happens to all the confidential information? Most NDAs require you to return or destroy it. Reasonable in concept, but the details matter — especially if you've integrated the information into your own work product.

What's normal: a requirement to return or destroy tangible documents and delete electronic copies within a defined window (typically 30-60 days), with allowances for archival backups that aren't actively accessed.

What's a red flag: "Recipient shall, within 5 business days of termination, return or destroy all Confidential Information and provide written certification of destruction signed under penalty of perjury." That ignores how real organizations handle data (you can't surgically delete emails from backups in 5 days).

What to negotiate: realistic timelines (30-60 days), explicit allowances for backup archives that are retained but not accessed, and certification by an officer rather than under penalty of perjury. Carve out any work product that incorporates the information for which you have a legitimate retention right.

5. Hidden non-competes and non-solicits

Some NDAs include clauses that have nothing to do with confidentiality. The most common: a non-solicit ("Recipient shall not solicit Disclosing Party's employees or customers for X months/years") or a non-compete ("Recipient shall not engage in any business that competes with Disclosing Party for X months/years"). These get buried in NDA documents because Recipients don't expect to see them.

What's normal: an NDA does not contain non-compete or non-solicit clauses. Those belong in employment agreements or independent contractor agreements, not in a document called "Mutual Confidentiality Agreement."

What's a red flag: any restriction on your future business activity, regardless of how it's phrased. Pay attention to terms like "shall not" combined with anything about "customers," "employees," "competing business," or "similar services."

What to negotiate: strike the clause entirely. If the other side insists on a non-solicit (sometimes reasonable for confidential customer lists), limit it to 6-12 months and to people you actually met through this engagement — not their entire employee or customer base.

6. Residual knowledge clauses

What you keep "in your head" after the engagement ends matters enormously if you work in the same industry. Some NDAs explicitly preserve your right to use general knowledge retained in unaided memory; others explicitly DISALLOW it, which would effectively prevent you from working in your field.

What's normal: a residuals clause that says something like "Recipient may use general knowledge, skills, and experience retained in unaided memory, provided that this does not authorize the use of any specific Confidential Information."

What's a red flag: language like "Recipient agrees not to use any information learned during the engagement, whether or not retained in memory, for the benefit of any other party." That's effectively a permanent non-compete written as an NDA term.

What to negotiate: add a clear residuals clause if one is missing. Skills, general industry knowledge, and unaided memory should always remain yours. Confidential information that's specifically identified as such is what stays protected — not your professional development.

7. Mutual vs. one-way NDAs (and asymmetric "mutual" ones)

Mutual NDAs apply to both parties. One-way (or unilateral) NDAs apply only to the Recipient. Both are common; what matters is whether the structure matches the actual information flow.

What's normal: if both parties will share confidential information (typical for partnerships, joint ventures, M&A discussions), a mutual NDA with symmetric obligations. If only one party is sharing (typical for vendors, contractors, evaluators), a one-way NDA where only the Recipient is bound.

What's a red flag: a "mutual" NDA where the obligations are actually asymmetric — Recipient has a 5-year confidentiality term while Disclosing Party has a 2-year term, or Recipient has perpetual indemnification obligations that Disclosing Party doesn't. Read carefully — the document might be labeled mutual without actually being symmetrical.

What to negotiate: if the document says "mutual," make sure every obligation applies symmetrically. If only one party will share information, use a one-way NDA — it's cleaner and more honest about the relationship.

8. Jurisdiction and dispute resolution

If something goes wrong, where do disputes get resolved? Most NDAs include a governing law clause (which state's laws apply) and a forum clause (which state's courts hear the case). These matter because litigating in another state is expensive and inconvenient.

What's normal: governing law and forum in the Disclosing Party's home state (when they're a larger company) or in a neutral jurisdiction agreed by both parties.

What's a red flag: governing law and forum in a remote state with no obvious connection to either party (typically Delaware or California for procedural reasons — those are usually fine), combined with mandatory arbitration in that state. Worst case: forum in a small foreign jurisdiction with no English-language proceedings.

What to negotiate: for routine NDAs, accepting the other party's home jurisdiction is usually fine. For high-stakes NDAs with significant potential exposure, push for neutral jurisdiction or your home state. Keep injunctive relief available in your local courts so you can get emergency orders without traveling.

Frequently asked questions

How long is too long for an NDA?

For ordinary business information, 2-5 years is standard and reasonable. 5-7 years is on the aggressive end but often acceptable for sensitive financial or customer data. Anything longer than 7 years applied to general business information is overreach — push back. Perpetual obligations should be limited to genuine trade secrets only.

Are NDAs ever unenforceable?

Yes. NDAs that are unreasonably broad, that cover information that's already public, or that effectively prevent the Recipient from working in their field can be found unenforceable in many jurisdictions. NDAs that try to silence whistleblowers about illegal conduct are unenforceable as a matter of public policy in most US states. None of this means you should ignore an NDA's terms — fighting one in court is expensive even when you win.

What's the difference between an NDA and a confidentiality agreement?

Functionally none. "NDA" (non-disclosure agreement), "confidentiality agreement," "proprietary information agreement," and "PIIA" all describe the same type of document. Don't be confused by the name — read what's actually in the document.

Can I refuse to sign an NDA?

Yes, but doing so might end the conversation. If the NDA is reasonable, sign it. If it's overreaching, negotiate. If it's full of red flags and the other side won't budge, consider whether this is a counterparty you actually want to work with — companies that send aggressive NDAs at the start of a relationship often turn out to be aggressive throughout it. Walking away is sometimes the right answer.

Does ClauseCheck analyze NDAs?

Yes. NDAs are one of the most common contract types ClauseCheck analyzes — every one of the eight categories above is part of the analysis. Upload any NDA (PDF, DOCX, or paste text) and get a clause-by-clause risk report with plain-English explanations in about two minutes. Your first review is free.

Found this useful? Share it

Want this analyzed on your actual NDA?

Drop your NDA into ClauseCheck and get a plain-English risk report in 60 seconds. First review is free — no card required.

Free to start · No credit card required

Related guides

ClauseCheck is not a law firm and does not provide legal advice. Our AI analysis is for informational purposes only and does not constitute legal advice. Always consult a qualified attorney for legal matters.