What is an NDA and when does your business actually need one?

An NDA creates a legal obligation on one or both parties not to disclose confidential information shared during a business relationship. It defines what information is confidential, how it can be used, how long the obligation lasts, and what happens if the obligation is breached.

The key function of an NDA is not to prevent disclosure — it is to create a legal remedy if disclosure occurs. If someone discloses your confidential information without an NDA, you may have limited recourse. With a well-drafted NDA, you have a contractual claim and potentially an injunction to prevent further harm.

NDAs don't make information more secure. They create accountability. The practical effect is that parties who know they've signed a confidentiality obligation are less likely to share information carelessly.

A one-way (or unilateral) NDA protects information flowing in one direction. The disclosing party shares confidential information; the receiving party agrees not to disclose it. This is appropriate when only one party is sharing sensitive information.

A mutual NDA protects both parties' confidential information and is appropriate when both sides will be sharing sensitive material — as in partnership discussions, M&A negotiations, or joint ventures.

Defaulting to a mutual NDA in all situations is a common mistake. It creates obligations on your own information that may be unnecessary, and it can complicate situations where you want to use information you've shared freely.

The definition of confidential information is the most important clause in an NDA. Too narrow, and it doesn't protect what matters. Too broad, and the receiving party doesn't know what they're agreeing to protect — which can make the clause unenforceable.

A practical definition includes information that is marked or designated as confidential at the time of disclosure, and information that a reasonable person would understand to be confidential in context (such as financial projections, product roadmaps, or customer lists). It should also exclude information that is already publicly available, was already known to the receiving party, or was disclosed by a third party without breach.

These exclusions are not weaknesses — they're essential to making the NDA enforceable. An NDA that attempts to protect publicly available information would not be upheld.

NDAs should specify how long the confidentiality obligation lasts. Perpetual NDAs — with no end date — are generally unenforceable because they impose obligations without limit of time. Courts are reluctant to enforce open-ended obligations.

A practical duration for most business NDAs is two to five years from the date of signing or the date of disclosure. For genuinely sensitive IP — particularly in technology or pharmaceutical contexts — longer terms may be appropriate, but they need to be clearly justified.

After the NDA expires, information that remains genuinely secret may still be protected by other legal principles (such as the law of confidence), but the contractual obligation has ended. For ongoing sensitive relationships, renewing the NDA periodically is good practice.

Not every business conversation requires an NDA. Pitching to investors at an early stage, attending industry conferences, participating in public tender processes, and general business development conversations typically do not require one — and asking for one in these contexts often signals inexperience.

The question to ask before presenting an NDA is: am I sharing information that, if disclosed, would cause me measurable harm? If the answer is no, an NDA is probably unnecessary. If yes, it's worth having one.

The best NDA is one that's used at the right moment, drafted clearly, and understood by both parties before it's signed.