NDA Clauses: What a Legally Sound Non-Disclosure Agreement Must Contain

Many free NDA templates on the web look complete but are not. On closer inspection, critical clauses are missing: no remedy for breach, a vague definition of what is confidential, no governing law, no exceptions for information that is already known. The result is an NDA that does not hold up in court, or one that binds a company without protecting it.

This article shows the seven essential clauses every sound NDA must contain, and the mistakes that keep appearing in free templates. If you just want a vetted template to start from, you can download our free non-disclosure agreement template.

What is an NDA, and when do I need one?

An NDA (non-disclosure agreement) is a contract that governs how confidential information exchanged while building a business relationship is handled, for example before a partnership, acquisition or collaboration.

An NDA makes sense whenever you have to share confidential information with a third party: internal processes, cost calculations, customer lists, technology or business plans. The NDA sets out that the recipient may not pass that information on or use it for their own purposes. Without an NDA, the other party can often legally do whatever they want with your information.

If you want to clarify the basics first, what an NDA means and which types exist, read the overview What is an NDA?.

What must a legally sound NDA contain?

An NDA is only as effective as its clauses. Seven elements are essential: a definition of what is confidential, exclusions, duration, treatment at the end of the relationship, a use restriction, remedies, and governing law.

1. Definition of confidential information

This is the most critical clause. It must state precisely which information is protected. A good definition covers written information, information disclosed orally, technical data, business plans, customer lists and pricing. Importantly, say specifically how you mark something as confidential (for example, a "Confidential" legend). Without that precision, it is unclear what the NDA actually protects.

2. Exclusions from the confidentiality obligation

Every NDA needs clearly defined exceptions, otherwise it is legally vulnerable. Standard exclusions: information that was already public before you disclosed it; information the recipient independently learns from a third party; information that was already in their possession. Disclosure compelled by law (a regulator or court) is also an exception you should address explicitly.

3. Duration of the confidentiality obligation

How long must the recipient keep the information secret? Three to five years after the end of the relationship is standard. For genuine trade secrets (formulas, processes) the term can be indefinite, provided it stays reasonable. The duration must be in the contract, otherwise the recipient could make the information public after a few months.

4. Return or destruction at the end of the relationship

What happens to the confidential information when the business relationship ends? The NDA must address: return or destruction of all materials, written confirmation, and exceptions for legal retention obligations. This clause is often forgotten, but it leads to disputes when information remains with the other side after the relationship ends.

5. No license / use restriction

The NDA must say clearly: the recipient gains no license, no ownership, no intellectual-property rights in the information. The fact that you tell someone something does not mean they may use it. This avoids disputes over implied licenses.

6. Remedies for breach

What happens if the recipient breaches the NDA? The clause should provide that damages are payable and that injunctive relief is available (important, otherwise you wait months for a judgment while the leak spreads). A fixed liquidated-damages amount can also help, but only if it is a genuine pre-estimate of likely loss, not a penalty, because common-law courts strike out penalty clauses. Without a meaningful remedy, the NDA is economically toothless.

7. Governing law and jurisdiction

An NDA should specify the governing law and the venue (court) for disputes. This avoids fights over jurisdiction and unifies the legal position. For cross-border agreements, arbitration can also be sensible.

Unilateral or mutual NDA: which do I need?

The choice depends on how asymmetric the exchange of information is: unilateral when only one side shares sensitive data; mutual when both parties receive confidential information from each other.

A practical note: many mid-sized companies use mutual NDAs even in customer conversations. That is more defensive and fairer, but takes a little more negotiation. Unilateral NDAs are faster when you are clearly the only party disclosing information.

What mistakes appear in most free NDA templates?

The four most common mistakes: an overly broad definition of what is confidential, no clause for compelled disclosure, no return confirmation, and no rule for accidental breaches.

Mistake 1: An overly broad definition of what is confidential

Some templates protect "all information that is disclosed." That is too broad; a court will likely reject it because it is unrealistic that truly everything is confidential. Better: a positive list (this information is protected) rather than a catch-all.

Mistake 2: No clause on compelled legal disclosure

What happens if a regulator or court compels disclosure of the confidential information? Many free templates do not address this. Professional NDAs say: if you are compelled to disclose, you must notify me beforehand so I can seek a protective order or injunction.

Mistake 3: No confirmation on return

"All materials will be returned or destroyed", but how is that proven? The best template requires written confirmation from the recipient that everything was actually returned or destroyed. Without it, you cannot later prove that your secret still exists on the other side.

Mistake 4: No rule for accidental disclosure

If the recipient breaches the NDA accidentally (for example, sends an internal email with your information to the wrong person), the NDA must make clear that this is still a breach. Some templates say "only intentional breaches count", which is too weak.