A Non-Disclosure Agreement (NDA) is the document that protects confidential information when it must be shared with someone who is not (yet) inside your organisation. Whether you are evaluating a potential acquisition, sharing technical specifications with a vendor, discussing a joint venture, or onboarding a new employee with access to sensitive data, the NDA defines what is confidential, how the recipient must handle it, and what happens if they don't.

This guide explains the difference between one-way and mutual NDAs, the essential clauses every NDA should contain, how to define "confidential information" in a way that is broad enough to be useful and specific enough to be enforceable, and the common drafting traps that make an NDA either too weak to protect or too aggressive to sign.

When You Need an NDA

  • Vendor / supplier evaluation — Sharing requirements, designs, or commercial terms
  • M&A discussions — Sharing financial information, customer lists, IP, strategy
  • Joint venture / partnership exploration — Mutual sharing of business plans
  • Investor pitches — Pre-pitch protection for sensitive financial or technical details
  • Employee and contractor onboarding — Standard term in employment contracts and contractor agreements
  • Licensing and product evaluation — Trial access to software, data, or proprietary methods
  • Research collaborations — Sharing pre-publication results

One-Way vs Mutual NDA

One-Way (Unilateral) NDA

Only one party is disclosing confidential information; the other is receiving. Used when the information flow is genuinely one-directional — e.g., a company evaluating a vendor's product (vendor discloses) or an employer onboarding an employee.

Mutual (Bilateral) NDA

Both parties may disclose confidential information to each other. More common in genuine commercial discussions — JV evaluations, supply negotiations, M&A. Even when one party is the primary discloser, mutual NDAs are often preferred because they are more balanced and easier to negotiate.

Essential Clauses

1. Parties

Disclosing Party and Receiving Party (or both as Disclosing/Receiving for mutual NDAs). Full names, registration numbers, and addresses.

2. Purpose

The defined purpose for which information may be used. This is critical — Receiving Party can only use the information for this purpose, not for anything else. Examples:

  • "Evaluating a potential supply arrangement for [products]"
  • "Considering a potential acquisition of [target]"
  • "Exploring a joint marketing campaign"

Specific is better than general — a purpose like "any business discussions" provides little protection.

3. Definition of Confidential Information

The most important clause. Should be broad but with standard exclusions:

"Confidential Information means any information disclosed by the Disclosing Party to the Receiving Party, whether orally, in writing, electronically, or by any other means, that relates to the business, technology, finances, customers, employees, or affairs of the Disclosing Party, including without limitation: business plans, financial information, customer lists, pricing, technical data, designs, software, trade secrets, processes, methodologies, and any information marked as confidential or that would be reasonably understood to be confidential."

Standard exclusions:

  • Information that is or becomes publicly available without breach of the NDA
  • Information already known to the Receiving Party at the time of disclosure
  • Information independently developed without use of the Disclosing Party's information
  • Information lawfully received from a third party without restriction
  • Information required to be disclosed by law or court order (with notice to the Disclosing Party if possible)

4. Marking Requirement (Optional)

Some NDAs require disclosing parties to mark information as "Confidential" or to confirm oral disclosures in writing within a defined period. This favours the receiver. The disclosing party usually prefers no marking requirement.

5. Obligations of the Receiving Party

Standard package:

  • Use Confidential Information only for the Purpose
  • Not disclose to third parties without consent
  • Limit access to personnel with a need-to-know
  • Ensure those personnel are bound by confidentiality obligations at least as strict
  • Apply reasonable security measures (at least the same care used for own confidential information, with a minimum standard)
  • Notify the Disclosing Party of any unauthorised access or disclosure

6. Permitted Recipients

Who within the Receiving Party can access the information — employees, directors, advisers, agents. Each permitted recipient must be bound by equivalent confidentiality obligations.

7. Return or Destruction

What happens to the information at the end of the relationship or on request:

  • Return all physical materials
  • Permanently delete or destroy electronic copies, including from email, servers, and backups (with carve-out for archival backups that cannot reasonably be deleted but remain subject to confidentiality)
  • Provide written certification of destruction on request

8. Term

How long the NDA lasts. Two dimensions:

  • Disclosure period — How long the parties may share confidential information under the NDA (e.g., 1–2 years)
  • Confidentiality period — How long the obligations survive after disclosure (e.g., 3–5 years from disclosure, or indefinite for trade secrets)

9. No Licence or Ownership Transfer

Disclosure does not grant any licence or rights in the underlying information. The Disclosing Party retains all IP rights. The Receiving Party gets no rights beyond using the information for the Purpose.

10. No Obligation to Proceed

The NDA does not oblige the parties to enter into any further transaction. Either party can walk away from the discussions at any time without liability.

11. No Warranty

Information is provided "as is" without warranty of accuracy or completeness. Liability for reliance on the information is limited or excluded (subject to fraud carve-out).

12. Remedies

The Disclosing Party is entitled to injunctive relief in addition to damages for breach. Confidentiality breaches often cause harm that cannot be adequately remedied by damages alone — injunctive language strengthens enforcement.

13. Non-Solicitation (Optional)

In commercial-discussion NDAs, a clause prohibiting the receiver from soliciting the discloser's employees or customers for a period (typically 12 months) is common. Some receivers resist this and try to limit it to people with whom they have actually had contact.

14. Governing Law and Jurisdiction

Malaysian law. Malaysian courts or arbitration (AIAC). For cross-border discussions, careful thought to enforcement jurisdiction is needed.

15. General Provisions

Notices, entire agreement, amendments in writing, severability, assignment, no waiver, counterparts, electronic signatures.

Worked Example — Definition Clause with Exclusions

"Confidential Information" means all information disclosed by the Disclosing Party to the Receiving Party, in any form, that relates to the business, technology, finances, customers, employees, or affairs of the Disclosing Party, whether marked as confidential or not, including without limitation business plans, financial statements, customer lists, pricing strategies, product designs, source code, and trade secrets.

Confidential Information does not include information that:

  • (a) is or becomes publicly available without breach of this Agreement;
  • (b) was lawfully in the Receiving Party's possession before disclosure;
  • (c) is independently developed by the Receiving Party without reference to the Disclosing Party's Confidential Information; or
  • (d) is lawfully received from a third party not under a confidentiality obligation."

NDAs and Employment

NDAs are routinely embedded in employment contracts as confidentiality clauses rather than standalone documents. They cover:

  • Information learned during employment
  • Customer information
  • Internal processes and trade secrets
  • Post-termination obligations (continuing for a period after leaving)

For sensitive roles (R&D, M&A, executive), a separate, more detailed NDA may supplement the employment contract.

Practical Limits of NDAs

An NDA does not actually prevent leaks; it provides recourse if they happen. Practical considerations:

  • Catastrophic disclosures cannot be undone. Damages are limited; some information is uniquely valuable
  • Tracking violations is hard. If the recipient uses the information internally, the disclosing party may never know
  • Enforcement is expensive. Legal action over an NDA breach is costly and slow
  • Foreign recipients add complexity. Cross-border enforcement is materially harder

The lesson: NDAs supplement, not replace, sound information handling. Disclose only what is necessary, use staged disclosure (general first, specific later), and reserve highly sensitive materials for late-stage discussions with strong commercial commitment.

Common NDA Mistakes

  • Definition too narrow. Limited to "marked as confidential" misses unmarked verbal disclosures
  • Definition too broad. Includes everything the receiver might ever know — unenforceable
  • No purpose limitation. Receiver can use information for any purpose
  • Term too short for trade secrets. A 1-year term on trade secret information is inadequate
  • Term too long for general information. Indefinite obligations on routine commercial information are unenforceable
  • No injunction language. Damages alone are an inadequate remedy for confidentiality breach
  • No destruction obligation. Receiver retains data indefinitely after the discussion ends
  • One-way NDA where mutual is appropriate. Both parties will share something; one-way is awkward and slow to negotiate
  • No governing law / jurisdiction. Enforcement uncertainty
  • Signed too late. NDA signed after material disclosures have already happened

Generate a Non-Disclosure Agreement with Popupnote

The Non-Disclosure Agreement Generator on Popupnote produces a structured NDA with purpose, definition of confidential information with standard exclusions, obligations, permitted recipients, return/destruction, term, remedies, and governing law. It supports both one-way and mutual structures, and includes optional non-solicitation provisions. The generator runs in your browser without any account required.