Sunday, February 16, 2014

Cult of the NDA 2014

The dot-com boom is in full force again, and with it the Cult of the NDA.  Seems that every time you bump into someone, they want you to sign their confidentiality agreement before they split a bar tab.  If you are a software consultant or contractor, you will have to sign many NDAs between now and the next crash of the NASDAQ, so here's a handy little guide for what to look for -- and what to look out for -- before signing.


Must Have

If these things are not in the NDA, you should walk away from the contract.  Without these provisions you've voluntarily accepted a time bomb which could destroy your company.

A Clear Definition of what constitutes confidential materials.  This definition will often be quite broad, but should prevent someone from retroactively redefining something as confidential after disclosure.

Exemptions for three things: stuff you already knew before signing, stuff made public without your involvement, and stuff you are required by law to disclose to a court or law officer.  NDA-writers often forget the last, but in these Patriot Act days, you can't afford to.

A Time Limit.  These will often be quite long, like five or seven years, but you don't want to sign an NDA you'll pass on to your grandchildren.

Would Like

There are a couple things which you'd like to get into an NDA if you can, but aren't essential.

You'd like the NDA to be Mutual; that is, it should protect your secrets as well as the client's.

If you're going to be doing open source work, the NDA should contain an Exemption for Open Source Code release.  Often you can put this in the Statement of Work if it's missing in the NDA, though.

A defined Procedure for Granting Exceptions from the NDA.

Can Tolerate

There's a bunch of stuff which often appears in NDAs, and you're not really keen on, but it's standard and you shouldn't balk over it.

Right to a Preliminary Injunction for the client.  This is normal; it just means that they can slap you with a gag order if they thing you're disclosing secrets, until it goes to court.

Jurisdiction in the Client's Home State: just like you want the jurisdiction to be local to you, the client wants the same.

A "Reasonable Care" requirement for handling confidential data.  This is, after all, only reasonable.  Although at some point you should talk to your lawyer about what this specifically means in your state.

A Remediation Procedure if data is disclosed: this is normal for contracts tied to vendors under HIPAA, SOX, or PCI.

Warning Signs

Any of the below appearing in an NDA is a reason to send it to your attorney for specific review.  Several of them appearing together is a reason to run, not walk, away from the negotiating table.
  • Indemnification for third-party suits resulting from a violation of the NDA.  This requires you to have D&O insurance, among other things.
  • Weird Legal Jurisdictions, such as another country, or a state which isn't yours or theirs.
  • Right to Examine Your Files: they can't do this without violating your confidentiality agreements with other clients.
  • "Utmost Care" or other weakly defined standards of secrecy.
  • A "No Reverse Engineering" clause without an "unless required for performance of Services" clause. 
  • Limitations on Work for other companies, "competitors", or "companies in the same industry".  If you sign these, eventually you won't be able to work at all.
  • Excessive Length is a warning sign on its own; if the NDA is more than 2 pages and doesn't contain a full HIPAA or PCI agreement, then it's probably hiding something.
Hopefully that helps fight the cult.  Happy contracting!

NOTE: Josh Berkus is not an attorney, and the above does not constitute legal advice.  You should always consult your own attorney on specific contracts and agreements.  Further, the above advice is heavily slanted towards California law (but then, so are dot-com NDAs).


  1. Clauses that amount to non-competes (such as the limitation on work) tend to be non-enforcible in most jurisdictions and can thus essentially be ignored fairly safely (IANAL either though).
    That said, they also tend to be indications of the attitude of the other party and as such should be regarded with great suspicion.

    1. Absolutely. Plus, non-compete law varies a LOT by jurisdiction, so yo don't want to count on it being invalid.

  2. This comment has been removed by the author.

  3. Josh, thanks! This looks like a really useful breakdown. Much appreciated :)

  4. This is a really great post, on an important subject that many devs/engineer types don't like to pay attention to, admittedly because the fine print is boring, and we like to build stuff. I personally have always liked the simplicity of having one customer/contract at a time, a.k.a. full time employee status, but it leaves you with a single egg basket.