What Is a Non-Disclosure Agreement (NDA)?

Every week, companies share information that would be worth millions of dollars to a competitor — source code repositories, pricing strategies, customer lists, pending product launches, clinical trial results. Most of that information flows to people outside the building: contractors, consultants, potential acquirers, job candidates walking through sensitive offices. The document keeping it confidential is often no longer than two pages and took under an hour to draft. It is the non-disclosure agreement, and its ubiquity in modern business is a measure of how much valuable information moves across organizational boundaries.

An NDA — sometimes called a confidentiality agreement — is a legally binding contract in which one or more parties agree not to disclose specified information to unauthorized third parties. At its simplest, it creates a legal obligation where a moral one already exists. At its most sophisticated, it defines exactly what is protected, for how long, and what the consequences of a breach will be.

Two Structures, Very Different Uses

Most NDAs take one of two forms. A unilateral NDA — the most common type — flows in one direction: one party discloses confidential information to another, and the receiving party is bound not to share it. This structure is standard when a company shares sensitive information with a contractor, vendor, or prospective employee. The disclosing party bears no obligation to protect the recipient's information because the recipient typically is not sharing anything sensitive in return.

A mutual NDA creates obligations in both directions, used when two parties are both sharing confidential information with each other. This structure is typical in merger and acquisition discussions, joint venture negotiations, and product development partnerships where both companies need to exchange proprietary information to evaluate whether to proceed. Mutual NDAs require more careful drafting because each party's confidential information may have different scopes, durations, and risk profiles that need to be addressed symmetrically.

What Makes an NDA Enforceable

Courts have consistently found that overly broad NDAs are difficult to enforce and, in some jurisdictions, unenforceable. An agreement that attempts to cover "all information of any kind" without defining what is confidential, or that prohibits a recipient from working in their field for 10 years, is likely to be narrowed or voided by a judge. The elements that make an NDA hold up are specificity in defining what is covered, reasonableness in duration (2 to 5 years for business NDAs, indefinite for trade secrets in some states), proportionality in geographic scope, and consideration — meaning the receiving party received something of value in exchange for the obligation.

Standard exclusions protect recipients from unreasonable obligations. Information that is already publicly available, independently developed by the recipient without reference to the disclosed materials, or received from a third party not bound by confidentiality cannot typically be subject to NDA protection. These exclusions should be explicitly listed in the agreement so that the scope of the obligation is clear to both parties from the start.

When to Require One — and When It Is Overkill

The NDA has become something of a reflex in the business world, applied to situations where it provides real protection and to situations where it is mostly administrative theater. The former category includes: contractors working with proprietary code, customer data, or unreleased product specifications; M&A discussions where either party's financials or strategy could move a market; clinical or research partnerships involving unpublished findings; and any engagement where the information, if disclosed, would provide a meaningful competitive advantage to a recipient who could use it directly.

The latter category includes asking candidates to sign NDAs before a general first-round interview where no sensitive information will be shared, or requiring them for every vendor contact regardless of what information they actually access. Overusing NDAs creates administrative burden, signals distrust to counterparties, and risks normalizing the documents to the point where signers stop taking them seriously. The right question before requiring an NDA is not "could this person possibly share something sensitive?" but "are we actually sharing something today that has meaningful value to protect?"